DATA  SECURITY:  WHO’S  (REALLY)  IN  CHARGE? 


PAGE  36 


Eyes  Have  It 

Howto 
manage  video 

PAGE  22 


Chaos  Theory 

Making  sense  of 
vulnerabilities 

«  PAGE  34 


ti N&Iii. 


. 


how  to  ouiid  up  your 
cdmpany-sbcrets  of 
suctess  from  the  2009 
ombass  Award  winners 


Navistar  International’s  John 
Martinicky:  Security’s  value 
rises  in  a  down  economy 


www.csoonline.com  $9.00  May  2 


A  RECENT  INDEPENDENT 
STUDY  SHOWS  THAT 
JUNIPER  CAN  REDUCE 
NETWORK  OPERATION 
COSTS  BY  UP  TO  41%. 

A  FACT  THAT’S  HARD  TO 
IGNORE,  UNLESS  YOU’RE 
TOO  BUSY  MANAGING 
YOUR  NETWORK. 


RETURN  ON  INNOVATION. 


©  2009  Jumper  Networks,  Inc 


Find  out  more  by  downloading  the  complete  commissioned 
study  conducted  by  Forrester  Consulting  at  juniper.net/save 


May  2009  Vol.8,  No.  4 


Features... 

26  Leadership  in 
Trying  Times 

Cover  Story  Our  2009  CSO  Com¬ 
pass  Award  winners  come  from  dis¬ 
parate  backgrounds  and  careers.  But 
these  security  leaders  are  all  work¬ 
ing  to  make  security  a  wise  business 
investment  amid  economic  chaos. 

By  Joan  Goodchild 

32  Five  Steps  to 
Communicate 
Security’s  Value  to 
Nonsecurity  People 

Communication  In  belt-tigntening 
times,  making  the  case  for  security 
investment  is  more  difficult  than  ever. 
Security  Catalyst  founder  Michael 
Santarcangelo  details  five  steps  that 
risk  professionals  can  use  to  commu¬ 
nicate  value  effectively. 

By  Joan  Goodchild 


Also  Inside... 


4  From  the  Editor 
6  From  the  Publisher 

8  Join  the  Discussion 

CSOonline  readers  debate 
vendor  contract  standards 
and  the  effort  to  keep  risk 
management  in  sync  with 
cloud  computing. 

11  Briefing 

■  Computer  hijacking 
increasingly  clever 

■  Power  grid  hackers  got 
inside  by  attacking  PCs 

■  Dumpster  diving:  still 
a  good  way  to  dig  up 
private  information 

■  Federalizing  cybersecurity: 
necessary  or  nitwitted? 

■  Conficker’s  makers 
lose  big,  expert  says 

■  Quake  has  Italians  reaching 
to  YouTube,  mobile  services 

■  Five  ways  to  survive  a  data 
breach  investigation 


22  VMS:  That  Vision  Thing 
Toolbox  Video  management 
software  helps  with  efficient 
monitoring,  transmission 
and  storage  of  IP  surveillance 
video.  ByMaryBrandel 

34  How  SCAP  Brought 
Sanity  to  Vulnerability 
Management 
CSO  View  OneCISOonthe 
Security  Content  Automation 
Protocol  and  turning  chaos 
into  order.  By  Ed  Beilis 

36  Whose  Job  Is  It 
Anyway? 

Forrester  View  Forrester 
believes  CISOs  must  revisit  the 
need  to  manage  data  security 
centrally.  ByAndrewJaquith 

40  Debriefing 

The  final  tweets  of  Flarold  Wig- 
ginbottom,  tech-savvy  CEO 


CSO(ISSNl540-904X)ispublishedmonthlyexceptforacombinedissueinJuly/AugustandDecember/JanuarybyCXOMedialnc.,4920ldConnecticutPath,P.O.Box9208,  Framingham,  MA  01701-9208.  Periodical  Postage  Rate  at 
Framingham,  MA01701,  and  at  additional  mailingoffices.  Canadian  PublicationsMailagreementnumberl902075.Canadian  Postmaster:  Please  returnundeliverablecopy  to  P.0,  Boxl632,  Windsor,  ON  N9A7C9.  Copyright  2008  by 
CXO  Media  Inc.  All  rights  reserved.  Reproduction  of  material  appearing  in  CSO  isforbidden  without  written  permission.  Permission  to  photocopy  for  internal  or  personal  use  or  the  internal  or  personal  useof  specific  clients  isgranted 
by  CSOfor  usersthrough  theCopyright  Clearance  Center,  provided  that  afee  of  $3.50  per  copy  of  thearticle  is  paid  directly  to  Copyright  Clearance  Center,  222  Rosewood  Drive,  Danvers,  MA  01970.  www.copyright.com.  Please  specify: 
ISSN  1540-904X.  Permission  to  photocopy  doesnot  extend  to  contributed  artides-followed  by  this  symbol:  Address  inquiries  to  CSO,  P.O.  Box  3482,  Northbrook,  IL60065;  866  354-1125.  CSO  isfreetoqualified  security  executives. 
To  all  others  the  one-year  basic  rate  is  $70  forthe  United  Statesand  Canada,  $95  to  foreign  countries  (payable  in  U.S.  funds  only),  Thesingle  copy  price  is  $9  to  the  U.S.  and  Canada  and  $15  International.  Please  allow  fourtosix  weeks 
for  new  subscriptions  to  begin.  Change  of  Address:  Go  to  www.omeda.com/custsrv/cso  and  follow  the  online  instructions.  Postmaster:  Send  change  of  address  to:  CSO,  P.0.  Box  3482,  Northbrook,  IL  60065.  Printed  in  the  USA. 


2  www.csoonline.com  May  2009 


Cover  photo  by  Bob  Stefko 


Alerting  everyone  in  your 
organization  about  a  security  threat  — 

Now  it  can  be  as  easy  as  pressing  a  button. 


: a looioioooioDioa laoooio loo; 

J10010100010D10010000101001 


Business 

Solutions 


101010101010010010 10101 1001010 1010 10:. 
101010100100101010110010 10101010.. 

1 001001010101 

llli i  -li  d-  .  .  JOIOOIOI 


11001000100  ; 
0011100100010010 


A;  i; i  1 0  1 0 1 0 0 1 0 1 0 0 1 0 1 0 1 0 1 0 1 D 0 1 0 0 D 1 0 0 1 0 0 1 0 01 0 1 0 i  -lonooio:. 

: 1  nn  m  10  looiaiaoioioioiaiooioooiooiooioaioio  lanooioi 


,0101001010101 

10101001010 


introducing  ADT  Select  LinkSM  An  alert  notification  system  that  uses  Web-based  technology  to 
help  broadcast  emergency  alert  and  other  important  messages  to  telephones,  cell  phones,  e-mail, 
wireless  PDAs  and  more.  The  ADT  Select  LinkSM  service  can  be  accessed  through  an  Internet 
browser  and  requires  no  dedicated  server  or  software  installation. 


Call  1-800-500-5259  now  to  receive  the  whitepaper  "7  Key  Considerations 
for  Selecting  an  Alert  Notification  Service"  or  visit  ADT.com. 


Monitoring  Access  Control  Video  Surveillance  RFID  Intrusion  Detection  EAS  Fire  &  Life  Safety 

ADT  state  license  numbers  are  available  for  review  at  www.ADT.com  or  by  contacting  1-800-ADT-ASAP*.  ©2009  ADT  Security  Services,  Inc.  All  Rights  Reserved.  ADT,  the  ADT  logo,  ADT  Always  There  and  1  -800-ADT-ASAP  are  registered 
trademarks  of  ADT  Services.  AG,  and  are  used  under  license. 


[  FROM  THE  EDITOR] 


The  Steady 
Hand 

John  Martinicky,  director  of  global  security 
at  Navistar  International,  makes  a  simple 
point  in  this  issue:  “In  desperate  times, 
people  to  do  desperate  things.” 

Indeed.  These  are  desperate  times,  both 
home  and  abroad,  and  security  incidents  large 
and  small  reflect  that  fact. 

■  Pirates-some  of  them  mere  teenagers- 
hijack  vessels  off  the  coast  of  impoverished 
Somalia. 

■  A  robber  sticks  up  a  convenience  store  in 
Washington  state,  brandishing  a  gun  while 
his  frightened  young  daughter  stands 
alongside. 

■  The  deluge  of  phishing  e-mails  continues, 
using  as  their  bait  tax  refunds  or  bailout 
payments  or  swine  flu  or  whatever  topic’s 
in  the  headlines. 

■  Tragedies  of  violence  in  schools  and  work¬ 
places  also  continue. 

Of  course  if  you’ve  spent  a  few  years  in 
security,  you  recognize  that  these  things 
happen  in  good  times  as  well.  So  while  the 
frequency  or  degree  of  incidents  may  rise,  few, 
if  any  of  today’s  challenges  should  catch  you 
by  surprise.  To  warp  an  old  saw,  the  job  of  the 
CSO  is  to  expect  the  expected. 

Martinicky  has  seen  a  lot  in  his  career 
at  Navistar:  He’s  been  there  for  more  than 
30  years.  In  that  time,  the  company  has  had 
periods  of  growth  and  international  expansion, 
and  also  times  of  severe  contraction.  He’s 
emphatic  about  the  value  of  security  in  down 
times.  He  advocates  for  a  laser-like  business 
focus.  He’s  built  a  robust  metrics  program 
to  make  sure  that’s  what  his  department  is 
delivering. 


He’s  one  of  this  year’s  six  CSO  Compass 
Award  winners;  Senior  Editor  Joan  Goodchild 
interviewed  each  to  extract  takeaways  to  help 
others  build  programs  of  similar  excellence. 
(See  Page  26.)  Five  of  them  held  a  panel 
discussion  on  leadership  at  our  CSO  Perspec¬ 
tives  conference  this  past  March.  Given  his 
relatively  unique  perspective,  having  watched 
the  vagaries  of  economy  and  industry  at  a 
single  company  for  three  decades,  it  seemed 
natural  to  ask  Martinicky  for  the  closing 
thought.  Given  all  the  turmoil  in  the  world 
today,  what  should  be  the  top  priority  for 
security  leadership? 

His  answer  was  as  simple  and  clear  as  the 
thought  that  opens  this  column.  “You’ve  got  to 
stay  positive,”  he  said.  There’s  plenty  of  nega¬ 
tive  that  can  grab  your  focus,  but  strong  lead¬ 


ers  resist  that  temptation.  To  focus  on  things 
you  can’t  control,  or  to  be  buffeted  about  by 
the  negativity  that  accompanies  budget  cuts 
and  desperate  security  incidents,  merely  slows 
the  return  of  better  times. 

Along  with  the  innovative  and  creative 
efforts  I’ve  urged  in  this  space  over  the  past 
few  issues,  this  is  the  other  thing  your  orga¬ 
nizations  need  from  the  CSO  today:  A  steady 
hand  on  the  rudder. 

-Derek Slater,  dslater@cxo.com 


Editor  in  Chief  Derek  Slater 
Senior  Editors 
Bill  Brenner,  Joan  Goodchild 
Copy  Editor 
Kristin  Burnham 
Editorial  Administrator 
Simone  Levien 
Contributors 

Ed  Beilis,  Mary  Brandel,  Jarina  D’Auria 
Andrew  Jaquith,  Gregg  Keizer, 
Francesca  Papapietro,  Giulia  Pisino, 
Jaikumar  Vijayan 

DESIGN 

Executive  Director,  Art  and  Design 
Mary  Lester 

Art  Director  Steve  Traynor 

RESEARCH 

Research  Manager  Carolyn  Johnson 

CXO  MEDIA/IDG 

COO  Matt  Smith 
CSO  Robert  Hayes 

TECHNICAL  ADVISORY  BOARD 

Jason  Cowling 

Jeremiah  Grossman,  WhiteHat  Security 
Frank  Murphy,  TBG  Security 
Stephen  Northcutt,  SANS  Institute 
Richard  Power,  Carnegie  Mellon  CyLab 

EDITORIAL/ADVERTISING/ 
BUSINESS  OFFICES 

492  Old  Connecticut  Path, 

P.O.  BOX  9208, 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 


INTERNATIONAL  DATA  GROUP 

Chairman  of  the  Board 

Patrick  J.  McGovern 

IDG  COMMUNICATIONS,  INC. 

CEO 

Bob  Carrigan 


#BPA 


WORLDWIDE" 


4  www.csoonline.com  May  2009 


Photo  by  Webb  Chappell 


SYMANTEC 

PROTECTS  MORE 


CO 
_ Ixl 

3  CO  irf 

s)  3 

—  Ixl 

OQ  21  _J 
LU  to  g- 


oc 


JO  FORTUNE  ££  MOBILE  5“  IS  EMAILS  LAW  £ 

^500^DEVICESl|||iaFr§ 

jp  ENTERPRISES  INFORMATION  i!  0-  ^ 

SYSTEMSlliSm 

“““ S  |  SERVERS  §  1 1 Q-  TEAMS 

PROFITS  s  I  ASSETS  *  i  I  SSmduu! 

SOCIAL  NETWORKS  3  “  I -J[j  0-  " 

INDUSTRIES  WEBSITES  FILES  z  5  SERVERS 

“imiCOMPANIES 

!  DA I A  5  <  g  WINDOWS  |  NON  £  § 

'  LU  ENVIRONMENTS  §  PROFITS  U  o 


LU 

> 

OC  z  ~m  * Q 

LU  UJ  GOVERNMENTS 

10  9  INFORMATION 


x 

LU 

to 

ZD 


C/I  =  IINirUKIVIMI  IUN  “  ■  ^  i  A 

VIRTUAL  §  <  g  COMMUNITIES  3 

ENVIRONMENTS  LuOij  SMALL  BUSINESSES  OQ  g 

THAN  ANYONE 


SYMANTEC  IS  THE  WORLD  LEADER  IN  SECURITY. 

Know  what  it  takes  to  be  secure  today  at  go.symantec.com/securityleader 


Confidence  in  a  connected  world. 


Symantec 


©2009  Symantec  Corporation.  All  rights  reserved.  Symantec  and  the  Symantec  Logo  are  registered  trademarks  of  Symantec  Corporation  or  its  affiliates  in  the  U.S. 
and  other  countries.  Other  names  may  be  trademarks  of  their  respective  owners. 


FROM  THE  PUBLISHER 


A  Recipe  for 
Disaster 

During  the  past  months,  U.S.  Attorney 
General  Eric  Holder  has  wrapped 
himself  in  the  blame  game  blanket, 
most  recently  as  he  pushed  hard  for 
investigations  into  the  interrogation  methods 
used  against  suspected  terrorists.  He  was  par¬ 
ticularly  interested  in  going  after  the  attorneys 
who  developed  the  legal  position  that  the  use 
of  waterboarding  was  allowable.  Many  have 
argued  that  his  actions  will  make  government 
officials  apprehensive  in  making  any  decisions 
for  fear  of  what  the  next  administration  will  do. 

In  his  book  “Lone  Survivor,”  retired  U.S. 
Navy  SEAL  Marcus  Luttrell  (the  closing  key¬ 
note  speaker  at  this  year’s  CSO  Perspectives 
conference)  writes  about  the  concerns  he  and 
other  soldiers  faced  when  going  into  combat 
in  Afghanistan  and  Iraq.  The  last  person 
they  would  meet  with  before  heading  out 
was  a  representative  of  the  Judge  Advocate 
General’s  office  who  would  brief  them  on  what 
they  could  and  could  not  do.  When  three  goat 
herders  stumbled  upon  the  SEALs  while  they 
were  on  a  covert  mission  in  the  mountains 
of  Afghanistan,  Marcus  and  his  fellow  SEALs 
faced  the  dilemma  of  killing  the  goat  herders 
so  they  would  not  give  up  the  SEALs’  position 
or  letting  them  go. 

From  a  military  standpoint,  their  decision 
was  very  straightforward.  But  their  concerns- 
how  the  media  might  ultimately  portray  their 
actions  by  blaming  them  for  the  wrongful 
killing  of  noncombatants,  and  the  fear  that  the 
military  would  be  forced  to  court-martial  them 
under  pressure  to  assign  blame-ultimately 
led  them  to  release  the  goat  herders.  Not  long 
after  that,  they  were  set  upon  by  150  Taliban 
soldiers.  The  ensuing  battles  resulted  in  the 
deaths  of  19  American  Special  Forces  soldiers. 
The  examples  go  on  and  on:  the  bailouts  of  AIG 
and  the  mortgage  lenders,  9/11,  etc. 

In  my  column  last  month  I  raised  the  ques¬ 


tion  of  whether  we  assign  too  much  blame 
to  the  business  that  suffers  a  data  breach  as 
opposed  to  the  individuals  who  actually  steal 
the  data.  I  think  a  better  term  to  use  might 
have  been  “responsibility.”  I  agree  with  many 
of  you  who  e-mailed  me  that  it’s  really  an  issue 
of  assigning  levels  of  responsibility,  not  blame. 
Of  course,  this  may  just  be  semantics. 

The  concern  here  is  whether  we  are  fixat¬ 
ing  on  assigning  blame  in  the  wake  of  those 
events  that  we  should  be  learning  from.  CSOs 
can  do  their  best  to  sell  the  need  for  good 
security  to  their  organizations,  but  if  senior 
management  chooses  not  to  listen-or  to 
only  take  some  of  the  CSO’s  advice-that  is  a 
business  decision.  I’m  fine  with  that.  But  what 
often  happens  is  that  when  it  hits  the  fan,  the 
CSO  gets  blamed.  As  you’re  all  aware,  it  can  be 
athanklessjob. 


Why  is  this?  Should  we  blame  the  lawyers? 
The  media?  See,  there  I  go  playingthe  blame 
game,  and  to  be  honest  I  didn’t  even  realize 
it  until  I  had  already  typed  it.  Regardless,  it 
can  be  a  recipe  for  disaster  because  when  the 
focus  is  on  blame  instead  of  learning  from  our 
actions,  we  cease  to  learn  and  grow  and  begin 
to  stall  and  fail. 

-Bob  Bragdon,  bbragdon@cxo.com 


Advertiser  Index 

ADT  Security  Services,  Inc . 3 

ASIS  International  . 23 

CA . C4 

CDW  Corp . 10 


6  www.csoonline.com  May  2009 


CXO  Media  Inc . 37 

Executive  Women’s  Forum  ....  39 

HID  Corp . 7 

Juniper  Networks,  Inc . C2 

Lumension  . 17 


PhoneFactor . C3 

RSA  Security . 19, 21 

Symantec  Corp . 5 

Trend  Micro  Inc . 15 

Verisign . 13 


Photo  by  Christopher  Navin 


President  and  CEO 
Michael  Friedenberg 
Publisher  Bob  Bragdon 
National  Sales  Manager 

Per  Melker 

Senior  Ad  Sales  Associate 

Christine  McKay 

East  Coast  Regional  Sales  Manager 

Roz  Burke 

West  Coast  Regional  Sales  Manager 
Michelle  McHugh 

INTEGRATED  MEDIA  AND 
ONLINE  SALES 

Vice  President,  Online  Sales 

Brian  Glynn 

Online  Regional  Sales  Manager 
Richard  Hartman 
Online  Regional  Sales  Manager, 
West  Coast  Erika  Karr 
Manager,  Online  Account  Services 
Danielle  Tetreault 

Online  Account  Services  Specialists 
Jennifer  Malkasian,  Tara  Shea 
Online  Advertising  Specialist 

Barbara  Sullivan 

CUSTOM  SOLUTIONS  GROUP 

Vice  President  Matt  Avery 
National  Sales  Director 

Adam  Dennison 

PRODUCTION 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Heidi  Broadley 
Associate  Production  Manager 

Lisa  M.  Stevenson 

EXECUTIVE  PROGRAMS 

VP,  Executive  Programs 

Ellen  Daly 

Director,  Event  Marketing 

Mary  Conroy 

Director,  Event  Operations 

Deb  Begreen 

Editorial  Manager  lafe  Low 
Sales  Associate 
Lauren  Costello 
Event  Planner  Sarah  Reagan 
Event  Planner/Client  Relations 
Laura  Biringer 

Registration  Specialist  Cress  O’Brien 
Senior  Marketing  Specialist 
Lauren  Wilson 

Client  Services  Specialist  Erica  Foster 

LIST  SERVICES 

Contact  Paul  Capone  of 
IDG  List  Services  at  508  370-0865  or 
pcapone@idglist.com 

REPRINTS  &  PERMISSIONS 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group,  800-290-5460  ext.  150, 
cso@theygsgroup.com 


V. 


For  log-on  security,  forget 
passwords,  remember  HID. 


Passwords  have  long  been  used  as  a  means  of  log-on  security, 
but  an  easier,  more  reliable  way  to  control  access  to 
Windows®  is  the  same  way  you  do  with  your 
doors  -  with  HID  contactless  technology. 
You  don’t  have  to  re-badge.  It’s  ready  to  go 
from  day  one  with  the  same  credential. 
And  it’s  an  easy  transition  for  cardholders 
because  they’re  already  familiar  with  the  contactless 
technology.  Proven,  cost-effective,  simple  -  HID  is 
where  convenience  meets  security  on  the  desktop. 

Get  your  FREE  white  paper  at 
passwords.hidglobal.com 


HID,  the  world  leader  in  physical  access  control 
can  now  provide  secure  access  to  your  network. 

All  on  your  current  card. 


hidglobal.com 


ACCESS  logic. 


f 


What’s  on  your  mind?  Security  leaders  discuss 
and  debate  at  www.csoonhne.com 


dor  and  business-partner  contracts  that 
includes  a  “floating  standard”  for  security 
measures.  Specifically,  agreements  in  which 
pieces  of  sensitive  data  will  be  shared  with  a 
vendor  or  business  partner  should  include 
two  categories  of  information  security  pro¬ 
tections.  The  first  category  relates  to  “fixed” 
security  standards  and  should  include 
specific  details  about  the  baseline  security 
requirements  for  the  vendor  or  business 
partner  (e.g.,  SSL  in  transmitting  data  over 
the  Internet,  a  defined  level  of  encryption 
for  databases,  no  use  of  removable  media, 
data  scrubbing  procedures,  etc.).  The 
second  category  relates  to  “floating”  secu¬ 
rity  requirements  or  standards.  This  lan¬ 
guage  is  typically  worded  along  the  lines 
of  “physical  and  logical  security  measures 
consistent  with  then- current  industry  best 
practices”  or  similar  language.  The  idea  is 
to  supplement  the  fixed  standards  with  any 
evolving  standards  during  the  term  of  the 
agreement.  In  the  case  cited  above,  if  MD5 
was  being  used,  the  evolving  standard  may 


be  to  transition  to  a  more  secure  hash  func¬ 
tion.  The  point  is  to  ensure  that  informa¬ 
tion  security  is  not  a  static,  but  a  dynamic 
requirement  in  your  vendor  and  business- 
partner  agreements. 

- Michael  Overly 

BLOG  POST 

Cloud  Security 

Alliance 

Launches 

Jeff  Bardin  sounds  “all  aboard”  for 
the  effort  to  keep  risk  management 
in  sync  with  cloud  computing 

The  Cloud  Security  Alliance  is 
about  to  move  to  the  forefront  of 
security  and  risk  issues  related 
to  the  industry  movement 
toward  cloud  computing. 


BLOG  POST 

Including 
Standards  in 
Your  Vendor 
Contracts 

Michael  Overly  looks  at  two  types 
of  contractual  requirements, 
allowing  for  evolution  of 
technology  and  standards 

The  April  issue  of  Technology 
Review  magazine  ran  a  fasci¬ 
nating  story  about  the  work  of 
Marc  Stevens,  a  PhD  student 
at  a  school  in  the  Netherlands. 
Using  nothing  more  than  a  laptop  and  his 
PlayStation  3,  Marc  was  able  to  force  the 
MD5  (Message-Digest  algorithm  5)  digital 
fingerprint  for  an  unrelated  file  to  match 
that  of  a  target  file.  He  did  this  by  appending 
junk  data  to  the  unrelated  file.  While  this 
kind  of  “collision”  is  theoretically  possible 
using  almost  any  hash  function,  the  pos¬ 
sibility  of  intentionally  forcing  collision  by 
such  modest  computing  means  is  disturb¬ 
ing.  Other  flaws  have  been  identified  since 
MD5  was  first  released  in  1991  by  Ron  Rivest, 
including  the  potential  to  fake  SSL  certifi¬ 
cate  validity.  This  points  out  the  continuing 
(and  expected)  trend  that  as  our  knowledge 
of  cryptography  increases  and  comput¬ 
ing  power  becomes  less  expensive,  previ¬ 
ously  secure  algorithms  and  technologies 
are  being  compromised  at  an  ever-more- 
rapid  rate. 

In  light  of  the  foregoing,  it  is  important 
to  highlight  the  need  for  language  in  ven¬ 


MORE  ON  THE  WEB 

Security  Tools, 
Templates,  Policies 

Our  new  tools  and  templates 
section  on  CSOonline.com 
includes  sample  policies 
with  expert  commentary, 
templates  and  checklists  for 
security,  business  continuity, 
risk  assessment  and  more. 

www.csoonline.com/ 

article/486324 


S  www.csoonline.com  May  2009 


As  part  of  the  launch  at  RSA,  the  Cloud 
Security  Alliance  [issued]  its  inaugural 
whitepaper,  “Guidance  for  Critical  Areas  of 
Focus  in  Cloud  Computing,”  which  outlines 
key  issues  and  provides  advice  for  both 
cloud  computing  customers  and  providers 
within  15  strategic  domains.  “We  expect  a 
great  deal  of  migration  toward  cloud  com¬ 
puting  within  the  federal  government,  in 
addition  to  the  already-robust  private- 
sector  growth,”  says  former  White  House 
advisor  Paul  Kurtz,  partner  with  Good 
Harbor  Consulting  and  Cloud  Security 
Alliance  founding  member.  “The  growth 
of  the  cloud  should  not  outpace  our  ability 
to  protect  the  data  that  goes  into  it,  and  the 
Cloud  Security  Alliance  is  a  key  collabora¬ 
tive  effort  to  help  assure  that  is  the  case.” 
What  are  those  15  domains? 

■  Information  lifecycle  management 

■  Governance  and  enterprise  risk 
management 

■  Compliance  and  audit 

■  General  legal 

■  eDiscovery 

■  Encryption  and  key  management 

■  Identity  and  access  management 

■  Storage 

■  Virtualization 

■  Application  security 

■  Portability  and  interoperability 

■  Data  center  operations  management 

■  Incident  response,  notification, 
remediation 


■  “Traditional”  security  impact  (business 
continuity,  disaster  recovery,  physical 
security) 

■  Architectural  framework 

The  Cloud  Security  Alliance  has 
engaged  noted  experts  within  several 
fields,  including  governance,  law,  network 
security,  audit,  application  security,  storage, 
cryptography,  virtualization,  risk  manage¬ 
ment  and  several  others,  in  order  to  provide 
authoritative  guidance  to  securely  adopt 
cloud  computing  solutions.  Alan.Boehme, 
Cloud  Security  Alliance  founding  member 
and  senior  vice  president  of  IT  strategy  and 
architecture  at  ING,  says  that  this  guidance 
is  timely:  “Enterprises  need  pragmatic 
advice  to  qualify  and  engage  with  cloud 
providers  in  a  way  that  is  in  alignment  with 
organizational  risk  tolerances.  We  also 
need  the  flexibility  to  use  cloud  services  for 
business  needs  of  varying  levels  of  sensi¬ 
tivity.  It  is  important  to  me  that  the  Cloud 
Security  Alliance’s  recommendations  are 
being  driven  by  leading  practitioners.  “ 

In  the  week  following  the  RSA  con¬ 
ference,  the  Cloud  Security  Alliance 
[launched]  its  one-year  road  map  of  activi¬ 
ties  and  deliverables  at  Infosecurity  Europe 
in  London.  We  are  also  in  the  process  of 
working  other  events  and  may  wish  to 
leverage  other  organizations  to  get  the  word 
out  and  to  continue  to  hone  our  message. 

If  you  want  to  get  involved,  the  Linke- 
dln  group  is  a  great  place  to  get  started.  Fol- 


HOWTO 

REACH 

US 

You  can  contact  us 
directly  or  post  your 
thoughts  on  specific 
articles  and  blogs  at 
www.CSOonline.com. 

Derek  Slater,  Editor  in  Chief 

dslater@cxo.com 

508  935-4213 

Bill  Brenner,  Senior  Editor 
bbrenner@cxo.com 
508  988-7587 

Joan  Goodchild,  Senior  Editor 

jgoodchild@cxo.com 

508  988-7994 

Subscriber  Services 

Phone:866  354-1125 
Fax:  847  564-9453 
E-mail:  cso@omeda.com 

Reprints  &  Permissions 

For  information  about  reprints 
and  copyright  permissions, 
please  contact  The  YGS  Group, 
800  290-5460,  ext.  150, 
cso@theygsgroup.com. 


low  us  on  Twitter  for  up-to-date  info  and,  of 
course,  we  do  have  a  Facebook  presence! 

The  Cloud  Security  Alliance  is  a  not- 
for-profit  organization  with  a  mission  to 
promote  the  use  of  best  practices  for  pro¬ 
viding  security  assurance  within  cloud 
computing  and  to  provide  education 
on  the  uses  of  cloud  computing  to  help 
secure  all  other  forms  of  computing.  The 
Cloud  Security  Alliance  is  led  by  industry 
practitioners  and  supported  by  found¬ 
ing  charter  companies  PGP  Corporation, 
Qualys  and  Zscaler.  For  further  informa¬ 
tion,  the  Cloud  Security  Alliance  website  is 
www.cloudsecurityalliance.org.  For  the  full 
press  release,  see  www.cloudsecurityalliance 
.or g/pr 20090331. ht ml . 

-Jeff Bardin 


May  2009  www.csoonline.com  9 


PARTNER 


Firebox- 


^r/A\\\\\\m\ 


There's  no  good  way  to  find  out  someone  has  stolen 
your  data.  We  can  help  make  sure  you  never  have  to. 


$414"  (yy)atchGuard 

CDW 1065037 


'Licensing  requires  a  minimum  purchase  of  five  licenses;  includes  one-year  Maintenance  (12x5  telephone  and  online  technical  support,  virus  pattern  updates 
and  product  version  upgrades).  Offer  subject  to  CDW's  standard  terms  and  conditions  of  sale,  available  at  CDW.com.  ©2009  CDW  Corporation 


The  Right  Technology.  Right  Away. 


We're  there  with  the  security  solutions  you  need. 

With  data  and  identity  theft  on  the  rise,  now  might  be  the  best  time  to  start  beefing  up  your  security. 
Lucky  for  you,  CDW  has  people  ready  to  help.  Our  personal  account  managers  work  along  with  highly 
trained  technology  specialists  to  find  the  perfect  data  security  solutions  for  you.  And  with  our  custom 
configuration  services,  everything  will  be  ready  to  go  when  it  arrives.  Call  CDW  today  and  we'll  introduce 
you  to  some  of  the  best  security  guards  in  the  business. 

CDW.com  800.399.4CDW 


Cisco®  ASA  5505  Adaptive 
Security  Appliance 


WatchGuard®  Firebox® 
XI Oe  UTM  Bundle 


Trend  Micro™  NeatSuite™  Advanced 


•  Secures  your  network  against  attacks  such  as 
worms,  viruses,  spyware,  keyloggers,  Trojan 
horses,  rootkits  and  hackers 

•  Combines  feature-rich  VPN  connectivity  with 
comprehensive  threat  defense  to  deliver 
cost-effective  remote  network  access 

•  Protects  users  accessing  the  network  from  a 
personal  or  public  PC  with  Cisco  Secure  Desktop 


•  Offers  deep  application  firewall,  VPN,  zero-day 
protection,  antivirus,  intrusion  prevention, 
antispyware,  antispam  and  URL  filtering 

•  Advanced  networking  and  traffic  management 
capabilities  maximize  network  configurability 

•  Includes  the  appliance  and  one-year 
subscriptions  to  Gateway  Antivirus,  spamBlocker, 
WebBlocker  and  LiveSecurity®  Service 


•  Delivers  multilayered,  multithreat  protection  in  a  single 
gateway-to-endpoint  suite 

•  Protects  against  the  growing  threat  of  Web-borne  attacks 

•  Provides  maximum  IT  efficiency  with  automatic  updates, 
centralized  management  console  and  reporting 

•  Offers  high  scalability  and  extensive  configuration  options 


51-250  user  license1  $59.99  CDW  1258918 


$501" 


m 


TREND 


CDW  1232877 


.11.11. 


CISCO 


“If it  extends  into  general  business,  it's  doomed  to  failure ” 


Edited  by  Bill  Brenner 


Botnet  Hunters:  Computer 
Hijacking  Increasingly  Clever 


New  research  from  the  security  commu¬ 
nity  suggests  that  enterprise  IT  shops 
are  losing  the  war  against  those  who 
would  hijack  company  computers  for 
use  in  an  ever-growing  array  of  botnets. 

Case  in  point:  At  the  RSA  Security  confer¬ 
ence  in  San  Francisco  late  last  month,  security 
vendor  Finjan  Software  released  details  of 
what  their  botnet  hunters  have  been  finding  of 
late.  The  numbers  aren't  pretty. 

Finjan’s  Malicious  Code  Research  Center 
(MCRC)  found  a  network  of  1.9  million  Trojan 
horses  running  on  corporate,  government 
and  consumer  computers  around  the  world 
during  an  investigation  of  command-and- 
control  servers  run  by  botnet  herders  from  the 
Ukraine  and  elsewhere.  One  server,  launched 
in  February  but  later  shut  down,  was  hosted  in 
the  Ukraine  and  controlled  by  an  online  gang 
of  six  people  who  managed  to  establish  a  vast 
Trojan  distribution  network. 

[Read  a  related  feature:  “What  a 
Botnet  Looks  Like”  at  www.csoonline.com/ 
article/348317.] 

“Hackers  keep  looking  for  improved  ways 
to  distribute  malware,  and  Trojans  are 
winning  the  race.  The  sophisti¬ 
cation  of  the  crimeware  and  the 
staggering  amount  of  infected 
computers  proves  these  people 
are  raising  the  bar,”  Finjan  CTO 
Yuval  Ben-ltzhak  said  in  an  inter¬ 
view  a  week  before  the  findings  were  officially 
released  at  RSA.  “Corporate  and  governmental 
data  remain  prime  targets,  especially  comput¬ 
ers  in  the  U.S.  and  the  U.K.  that  are  under 
attack  and  need  to  protect  themselves.” 


Based  on  posts  found  in  various  hacking 
forums,  researchers  believe  1,000  hijacked 
computers  are  being  rented  out  for  $100  to 
$200  a  day.  The  bad  guys  can  make  $190,000  a 
day  for  renting  a  botnet  of  1.9  million  infected 
computers. 

The  Trojan  horse  programs  are  silently 
dropped  on  computers  when  the  user  visits 
compromised  websites  that  hide  the  malware. 
The  giant  command-and-control  server 
that  researchers  uncovered  includes  the  IP 
addresses  of  infected  machines  as  well  as 
the  computers’  names  inside  corporate  and 
government  networks  that  are  running  the 
Trojan  horse. 

Computers  in  77  government-owned 
domains  (.gov)  from  the  U.5.,  U.K.,  Brazil, 
Turkey  and  India  have  been  compromised  and 
are  running  the  Trojan  horse.  The  malware  is 
remotely  controlled  by  hackers  who  use  them 
to  deliver  almost  any  command  on  the  end- 
user  computer  as  they  see  fit,  including  read¬ 
ing  e-mails,  copyingfiles,  recording  keystrokes, 
sending  spam  and  making  screenshots. 

Finjan’s  findings  square  with  what  other 
researchers  are  seeing. 

Alex  Lanstein,  senior 
security  researcher  at  FireEye, 
a  security  vendor  based  in  the 
San  Francisco  Bay  area,  says 
some  of  the  larger  botnets  out 
there  get  no  press  because  their 
overlords  don’t  want  to  make  news  and  let 
people  know  their  machines  are  infected. 
Cimbot,  for  example,  is  a  piece  of  malware 
that  has  been  used  to  create  a  botnet  that  now 
accounts  for  about  15  percent  of  the  world’s 


BOTNET STATS 


The  malware  is  infecting 
computers  runningthe 
Windows  XP  operating  system 
and  usingthe  following 
browsers  to  hunt  its  prey: 


Safari  l% 
Opera  3% 


The  majority  of  infections 
continues  to  take  place  in 
the  U.5.,  as  shown  below: 


U.K.  6% 


Fl 


Canada  4% 
Germany  4% 
France  3% 


Source:  Finjan  Software 


spam,  he  says. 

Among  the  problems  that  security 
researchers  have  encountered  when  trying  to 
track  and  shut  down  botnets  is  that  the  newer 
worms  used  to  build  botnets  are  using  strong 
cryptography  to  protect  the  command-and- 
control  centers,  says  Paul  Kocher,  president 
and  chief  scientist  at  Cryptography  Research. 

“It  used  to  be  you  could  track  how  a  botnet 


May  2009  www.csoonline.com  11 


>>  BRIEFING 


was  getting  its  commands  and 
send  out  fake  commands  to  take 
it  out,”  he  says.  “It’s  getting  a  lot 
harder  to  do  that.” 

The  newer  botnets  are  also 
building  their  own  P2P  networks 
to  communicate  and  have  gotten 
good  at  snuffing  out  a  machine’s 
security  controls. 

“We’re  also  watching  more 
sophisticated  efforts  among 
botnet-building  worms  to  evade 
detection,"  Kocher  says.  “They’re 
more  polymorphic,  changing 
from  copy  to  copy.  It  makes  it 
more  difficult  for  an  antivirus 
author  to  craft  a  signature  to 
block  it.” 

Gunter  Ollmann,  vice  presi¬ 
dent  of  research  at  Atlanta-based 
security  vendor  Damballa,  says 
enterprise  IT  shops  would  do 
well  to  ramp  up  efforts  to  detect 
the  lesser-known  malware  being 
used  to  such  devastating  effect 
these  days.  In  the  last  two  years, 
he  says,  IT  shops  have  deployed 
a  broad  range  of  detection  and 
prevention  technologies.  Each 
layer  of  defense  has  gotten  better 
at  fending  off  certain  attacks. 

“The  more  common  the  threat, 
the  better  the  protection,”  he 
says.  “But  the  bad  guys  are 
very  much  aware  of  how  these 
defenses  work,  so  they’re  using 
more  sophisticated,  targeted, 
social  engineering  attacks.  Look¬ 
ing  at  the  malware  used,  a  high 
percentage  is  IDS-  and  AV-proxy- 
aware.” 

Ollmann  and  others  offer  the 
same  advice:  Since  attackers 
are  so  successful  at  using  social 
engineering  tricks-luring  users 
with  fake  headlines  that  play  on 
current  events  and  duping  them 
into  clicking  on  malicious  links— 
one  of  the  best  defenses  remains 
user  education. 

Show  the  average  user  what 
they’re  up  against  every  time 
they  go  online  and  they  are  less 
likely  to  be  duped  into  download- 
ingthe  bot-buildingcode,  experts 
say.  -Bill  Brenner 


CRITICAL  INFRASTRUCTURE 

Researcher:  Power  Grid  Hackers 
Got  Inside  by  Attacking  PCs 

The  hackers  who  reportedly  planted  malware  on  key  parts  of  the  U.S.  electrical  grid-perhaps 
with  the  intent  to  cripple  the  country’s  power  infrastructure-most  likely  gained  access  like 
any  other  cybercriminal:  by  exploiting  a  bug  in  software  such  as  Windows  or  Office,  says  one 
security  researcher. 

“Any  computer  connected  to  the  Internet  is  potentially  vulnerable,”  says  Roger  Thompson,  chief 
research  officer  at  AVG  Technologies.  “Getting  to  the  actual  infrastructure  devices  directly-that’s 
always  possible,  but  a  whole  lot  less  likely.  In  any  industry,  critical  or  not,  there  are  always  plenty  of 
PCs  that  have  been  compromised.” 

According  to  published  reports  last  month,  unnamed  national  security  sources  said  that  hackers 
from  China,  Russia  and  elsewhere  have  penetrated  the  U.S.  power  grid,  extensively  mapped  it  and 
installed  malicious  tools  that  could  be  used  to  further  attack  not  only  the  electrical  infrastructure,  but 
others  as  well,  including  water  and  sewage  systems. 

The  discoveries  were  made  by  U.S.  intelligence  agencies,  not  the  utilities’  security  teams,  the 
Journal  said.  Thompson  says,  “Any  infrastructure  device  that’s  connected  to  the  Net  is  potentially 
hackable.” 

It’s  more  likely,  he  adds,  that  the  power-grid  hackers  exploited  the  same  kinds  of  vulnerabilities— 
but  not  the  exact  same  bugs-that  have  plagued  consumers  and  businesses  that 
run  Microsoft’s  Windows  and  its  Office  application  suite.  “I  have  no  doubt  that 
there’s  been  this  kind  of  attack,  or  attempt  to  attack,  for  quite  some  time,”  says 
Thompson,  “perhaps  using  the  same  kind  of  Office  zero  days  that  have  been 
coming  out.”  In  security  parlance,  a  “zero-day”  exploit  is  one  that  leverages  an 
unpatched  vulnerability. 

Vulnerabilities  in  Microsoft  Office— typically  file-format  flaws  that  let 
attackers  hijack  PCs  by  duping  users  into  opening  a  malformed  Word,  Excel  or 
PowerPoint  document-are  often  used  in  targeted  attacks  that  focus  on  just  one 
company  or  organization,  or  even  on  only  a  few  top-level  executives  in  that  company. 

The  hackers  try  to  get  control  of  a  senior  official’s  machine  because  that’s  where  the  most  impor¬ 
tant  and  salable  information  is  located. 

Microsoft  has  released  two  security  advisories  in  the  past  six  weeks  for  unpatched  Office  vulner¬ 
abilities  that  are  already  being  exploited  in  similar  targeted  attacks. 

Neither  the  Excel  bug,  which  was  revealed  in  late  February,  nor  the  more  recent  PowerPoint 
vulnerability  has  been  patched  by  Microsoft. 

“[The  general  antivirus  industry]  never  ever  gets  to  see  the  best  zero  days,”  Thompson  continued. 
Although  the  community  is  well-known  for  sharing  samples,  there  are  always  cases  in  which  a  victim¬ 
ized  organization-a  government  agency,  for  example-refuses  to  share  the  attack  code  with  others 
for  analysis.  “You’ll  ask  for  a  sample,  and  he’ll  say,  ‘Well. ..no,  I’m  not  allowed’,”  says  Thompson. 

-Gregg  Keizer 


“Plenty  of  PCs 
have  been 
compromised” 
in  different 
industries, 
critical  or  not, 
says  Roger 
Thompson. 


12  www.csoonline.com  May  2009 


Photo  by  Tom  Fawls 


O  https ://www . overstock. com/checkout 


asggg 

M  | 

Identified  by  VeriSign 


Get  visible  site  security  from  the  company  your  customers  trust. 


The  latest  and  greatest  in 

online  security. 

Also  the  greenest. 


It’s  simple:  a  green  bar  means  your  site  is  secure.  For  your  customers,  this  means  they  can 
trust  their  Web  experience.  It’s  all  done  through  VeriSign®  Extended  Validation  (EV)  SSL 
Certificates,  which  verify  and  visually  represent  the  authenticity  and  security  of  Web  sites. 
This  protects  you  and  online  customers.  Combine  visitor  confidence  with  the  strongest 
encryption  available  to  each  site  visitor  to  maximize  your  site's  overall  security  profile. 


Get  your  free  white  paper,  The  Latest  Advancements  in  SSL  Technology, 
at  www.verisign.com/cso  or  call  1-866-893-6565  or  1-650-426-5115. 


<p;2008  VeriSign,  Inc.  All  rights  reserved.  VeriSign,  the  VeriSign  logo,  the  Checkmark  Circle  logo,  VeriSign  Secured  logo,  and  other  trademarks,  service  marks,  and  designs  are 
registered  or  unregistered  trademarks  of  VeriSign,  Inc.,  and  its  subsidiaries  in  the  United  States  and  foreign  countries.  All  other  trademarks  are  property  of  their  respective  owners. 


>>  BRIEFING 


PHYSICAL  SECURITY 

DUMPSTER 
DIVING:  STILL  A 
GOOD  WAY  TO 
DIG  UP  PRIVATE 
INFORMATION 

In  an  age  where  data  breaches  and  identity  theft  occur  every  day,  busi¬ 
nesses  are  taking  every  precaution  to  ensure  that  all  sensitive  data  is 
disposed  of  properly,  right?  Think  again. 

While  organizations  may  be  doing  a  better  job  with  privacy  inside 
closed  doors,  despite  the  damage  and  headline-making  potential  of  a 
data  breach,  many  may  not  be  using  the  same  care  on  the  back  end  of 
the  information  lifecycle. 

While  you  may  think  your  sensitive  information  is  being  fastidiously 
shredded  and  disposed  of  securely,  security  industry  analyst  Steve  Hunt, 
who  heads  up  Hunt  Business  Intelligence,  reveals  otherwise. 

Hunt  recently  went  for  a  good  old-fashioned  dumpster  dive.  It  might 
sound  like  a  90s  tactic,  but  Hunt  thought  it  would  still  work  as  a  way  to 
garner  sensitive  information. 

He  headed  to  the  trash  bin  at  what  he  describes  as  “a  big  bank  in  a 
big  city.”  He  was  in  and  out  of  the  dumpster  in  three  minutes,  according 
to  his  estimate. 

In  that  short  amount  of  time,  he  came  up  with  the  following  items: 
Wire  transfer  information:  Hunt  obtained  the  wire  transfer  infor¬ 
mation  of  many  transactions.  The  documents  he  found  included  transfer 
information  for  transactions  between  U.S.  banks  and  banks  in  Jordan, 
Saudi  Arabia,  Dubai  and  Portugal. 

The  documents  included  the  account  numbers  and  social  security 
numbers  of  both  the  sender  and  the  receiver,  and  their  names. 

Check  copy:  Hunt  found  a  clear  and  easily  readable  copy  of  a  bank 
check  with  all  of  the  important  information:  bank  account  number,  rout¬ 
ing  number  and  name  of  the  account  holder. 


The  account  holder’s  social  security  number  and  small  business  ID 
number  were  hand  written  in  on  the  top  right  of  the  check. 

Bank  account  transaction  history:  The  dive  also  turned  up  the 
bank  account  numbers,  balances  and  banking  activity  for  the  fund¬ 
raising  account  of  “a  certain  prominent  politician  in  the  area,”  according 
to  Hunt. 

Personal  financial  statement:  Hunt  found  the  personal  financial 
statement  of  an  individual  he  described  as  “very  wealthy.”  The  docu¬ 
ments  list  the  person’s  name,  home  address,  real  estate  owned  and  val¬ 
ues  of  the  properties,  several  of  the  individual’s  bank  account  numbers, 
social  security  number  and  date  of  birth.  Hunt  Googled  the  name  and 
easily  found  a  picture  of  the  person. 

An  entire,  intact  PC:  Hunt’s  experiment  even  yielded  a  whole 
laptop  with  a  tag  on  the  back  that  says  “Property  of  [another  financial 
institution]”.  While  the  computer  had  no  power  and  Hunt  was  not  able  to 
power  it  up,  “I  know  how  to  connect  to  a  hard  drive,”  he  says. 

-Joan  Goodchild 


BY  THE  NUMBERS 


120M  ! 

3 

200 

32 

Amount  of  phone 
minutes  that 

AT&T  and  Verizon 
Communications 
were  duped  into 
providing  criminals 

l 

Number  of  security 
holes  recently 
found  in  Google 

Docs  that  could 
expose  private  data 

Number  of  Syman¬ 
tec  customers 
whose  credit  card 
numbers  may 
have  been  stolen 
from  an  Indian  call 
center  used  by  the 
security  vendor 

Age  of  security 
researcher  Jack 

Louis,  who  died 
in  afire  before  he 
was  able  to  help 
produce  a  fix  for  the 
far-reaching  TCP 
flaw  he  discovered 

14  www.csoonline.com  May  2009 


Photo  by  iStockphoto.com 


Faculty,  Staff  Records  Stolen 


uuninii 


unuttni 


Trojan  horse  captures  data 
on  2,300  Oregon  taxpayers 


Credit  Card 
Numbers  Stolei 
from  TJX 


HOTEL  CHAIN  FALLS  VICTIM 
6  TO  14,000  DATA- STEALING 
MALWARE  INCIDENTS  1 


Millions  of  U.S.  customers 
informed  today  that 

•jheir  credit  card  nurdflK 


98,930  Affected  In 
Forever  21  Data  Breach 


THINK  THE  NEXT  GENERATION  OF  MALWARE 
doesn’t  have  a  headline  waiting  for  you? 


Data-stealing  malware  is  smarter,  faster  and  more  advanced  than  ever.  It's  infiltrating  the  most  secure  enterprises 
and  yours  could  be  next.  But  with  Trend  Micro™  Enterprise  Security,  powered  by  the  Trend  Micro  Smart  Protection 
Network,  you'll  be  ready.  This  unique  combination  of  solutions  and  services  is  the  next-generation,  cloud-client 
security  infrastructure  that  blocks  the  most  sophisticated  threats-before  they  reach  your  network.  Download 
our  eBook  and  learn  how  easily  Web  threats  like  data-stealing  malware  can  evade  your  current  security  solution 
and  what  you  can  do  about  it. 


►  Download  our  Outthink  the  Threat  eBook  and  register  for  a  free 
onsite  risk  assessment  now  at  trendmicro.com/thinkagain. 


TREND 

MICRO 


Securing  Your  Web  World 


©  2009  Trend  Micro  Inc.  All  rights  reserved.  Trend  Jcrp  and  the  t-ball  logo  are  trademarks  or  regis 
All  other  company  and/or  product  names  may  hs  trademarks  or  registered  trademarks  of  their  owm 

t  A  -L  i  i  .  4)  mm 

1 1  ix  T!  Kpl 

M  .  WW 

J.  j  ■  m  1  L 


■marks  of  Trend  Mil 


;  education  j 

jf  University  of  Indianapolis  | 
it  Hacked:  UK  Student, 

l 

>>  BRIEFING 


Security 
Wisdom  Watch 


Senators  Olympia  Snowe  and  Jay  Rockefeller 


Much  has  happened  in  security 
circles  this  past  month,  from  all 
the  hoopla  over  Conficker  to  the 
ongoing  economic  bloodshed  in 
the  industry.  Here  are  a  few  that 
stood  out-for  better  or  worse. 

Thumbs  up:  Brad  Dinerman:  The 
National  Information  Security 
Group  president  was  laid  off  in 
October,  but  quickly  bounced 
back  with  a  new  business  of 
lending  IT  security  support  to  small  busi¬ 
nesses.  An  inspiration  for  anyone  who 
finds  themselves  jobless. 


Thumbs  down:  Premier  Voice/ 
Lone  Star  Power:  These  com¬ 
panies  found  themselves  in  the 
FBI’s  crosshairs  in  April  after 
allegedly  duping  telecommunica¬ 
tion  giants  AT&T  and  Verizon  Commu¬ 
nications  into  providing  more  than  120 
million  minutes  of  telephone  service  to 
criminals. 

Thumbs  down:  A  fix  for  TCP 
flaw:  Jack  Louis,  discoverer  of 
the  far-reaching  TCP  (Transmis¬ 
sion  Control  Protocol)  software 
flaw,  died  in  a  fire  March  15.  The  sad 
turn  of  events  first  reported  last  month 
means  it’ll  now  fall  to  other  researchers 
to  fix  the  security  hole. 

Thumbs  both  ways:  Security 
vendors  and  Conficker: 
Vendors  deserve  criticism 
for  fanning  the  flames 
of  FUD  last  month  over 
a  predicted  Internet 
meltdown  at  the  hands  of  the 
Conficker  worm,  which  did  not  come  to 
pass.  But  there  were  some  vendors,  like 
Luis  Corron,  a  director  at  Panda  Security, 
who  went  out  of  the  way  to  talk  everyone 
off  the  ledge  with  this  threat.  Security 
vendors  backing  off  from  hype  is  no  easy 
task. 

-B.B. 


LEGISLATION 

Federalizing  Cybersecurity: 
Necessary  or  Nitwitted? 

Two  U.S.  senators  are  proposing  legislation  that  would  give  federal  officials 
significant  new  authority  to  create  and  enforce  data  security  standards  both 
for  government  agencies  and  key  parts  of  the  private  sector. 

The  Cybersecurity  Act  of  2009,  introduced  by  Senators  Olympia  Snowe 
(R-Maine)  and  Jay  Rockefeller  (D-W.Va.),  would  empower  the  National  Institute  of 
Standards  and  Technology  (NIST)  to  establish  “measurable  and  auditable”  secu¬ 
rity  standards  for  all  networks  and  systems  run  by  federal  agencies,  government 
contractors  and  businesses  that  support  critical  infrastructure  services.  In  addition, 
NIST  would  be  charged  with  developing  a  standard  for  testing  and  accrediting 
software  built  by  or  for  those  groups.  The  bill  also  calls  for  the  creation  of  a  national 
cybersecurity  adviser’s  office  within  the  executive  office  of  the  president.  Under  the 
proposal,  the  new  operation  would  be  modeled  after  the  Office  of  the  U.S.  Trade 
Representative  and  would  have  the  power  to  compel  federal  agencies  to  comply 
with  government  security  mandates. 

The  early  reaction  among  security  pros  is,  not  surprisingly,  one  of  skepti¬ 
cism.  After  all,  they  note,  the  U.S.  government  has  had  a  lot  of  trouble  getting  its 
IT  security  house  in  order.  Hackers  from  China  and  elsewhere  keep  breaking  into 
government  networks  to  conduct  espionage.  Federal  cybersecurity  directors  keep 
quitting.  Rich  Mogull,  a  former  Gartner  analyst  and  founder  of  security  consultancy 
Securosis,  says  a  deeper  government  reach  into  the  private  sector  may  make  sense 
under  certain  circumstances,  but  not  in  the  broader  sense.  “I  think  it’s  reasonable 
for  critical  infrastructure  and  government  contractors,  but  if  it  extends  into  general 
business,  it’s  doomed  to  failure,”  he  says. 

For  one  thing,  he  says,  the  government  has  shown  no  ability  to  secure  itself. 
“Perhaps  the  reprioritization  of  a  new  administration  will  improve  that,  but  there  is 
immeasurable  institutional  momentum  to  overcome,”  he  says.  While  the  NSA  plays 
a  critical  role  in  cyberintelligence,  Mogull  says  it  is  not  the  right  entity  to  manage  our 
national  defensive  cybersecurity.  “The  missions  fundamentally  conflict,”  he  says.  “If 
we  want  to  leverage  their  extensive  expertise,  a  separate  agency  should  be  created 
and  charged  with  the  defensive  role,  reporting  to  a  cybersecurity  head  outside  the 
intelligence  infrastructure.” 

Pete  Stagman,  owner  and  senior  engineer  at  Stag  Data  &  Cable  and  senior 
engineer  at  Global  Digital  Forensics,  says  the  prospect  of  federalized  cybersecurity 
leaves  him  uneasy.  “I'm  not  crazy  about  this  at  all,  especially  the  part  that  ‘would 
require  the  National  Institute  of  Standards  and  Technology  to  establish  measurable 
and  auditable  cybersecurity  standards  that  would  apply  to  private  companies  as 
well  as  the  government  [and]  require  licensing  and  certification  of  cybersecurity 
professionals,”’  he  says. 

It’s  far  from  certain  that  such  a  bill  would  ever  become  law.  Private  entities  are 
certain  to  push  back,  and,  even  if  passed  in  the  Senate,  it  would  have  to  go  through 
the  House  of  Representatives  and  White  House  gauntlet,  a  process  certain  to  move 
slowly,  if  at  all.  -B.B.  andJaikumar  Vijayan 


16  www.csoonline.com  May  2009 


+  Budgets  tighten 
across  the  board 


Download  our  white  paper  on  Reducing  Security  TCO  at 

vyww.lumension.com/security-tip-21 

1.888.725.7828 

Vulnerability  Management  |  Endpoint  Protection  |  Data  Protection  |  Reporting  and  Compliance 


Past 


Company  goes  public 

Upgrade  network  and 
backup  storage 

Hire  new  IT  Director 
and  Compliance  Director 


Expand  operations 


Reduce  IT  and  security  TCO 


Data  and  network  protected 


Market  conditions  hurt 
revenue  growth 


Engage  Lumension  for 
security  solution 


Meet  industry  compliance  audit 


Present 


Future 


Positioned  for  economic  turnaround 


Reduce  Risk.  Not  Revenue. 


a  Lumension 

IT  Secured.  Success  Optimized. 


>>  BRIEFING 


MALWARE 

CONFICKER’S 
MAKERS  LOSE  BIG, 
EXPERT  SAYS 

THE  MALWARE  makers  who  crafted  Conficker  must  be  extremely 
disappointed,  one  security  expert  says,  and  not  because  the 
Internet  didn’t  come  crashing  down  April  l,  as  some  of  the  wildest 
speculation  had  predicted. 

“All  of  their  work  has  gone  for  naught,”  says  Alfred  Huger,  vice 
president  of  development  for  Symantec’s  security  response  team, 
referring  to  the  hackers  who  created  the  Conficker  worm. 

Ironically,  it  was  the  extraordinary  success  of  Conficker  that 
made  the  hackers’  work  essentially  a  wasted  effort,  Huger  says. 
“Most  of  the  work  done  on  Conficker  was  because  of  all  the  attention 
it  got,  absolutely,”  he  says,  pointing  to  the  drumbeat  of  coverage 
since  the  worm  first  surfaced  in  November  2008  and  the  frenzy  that 
led  up  to  April  1,  when  its  newest  variant  started  switching  to  a  new 
communications  scheme. 

“This  is  the  biggest  worm  in  terms  of  press  coverage  received 
since  we  experienced  Code  Red,”  Huger  notes.  Code  Red,  which 
struck  Microsoft’s  server  software  in  2001,  slowed  networks  to  a 
crawl.  “And  that’s  great.  I  think  the  threat  was  genuine,  and  without 


all  the  attention,  it  could  have  been  a  big  problem.” 

The  anti-Conficker  efforts  prompted  by  that  attention  included 
a  consortium  of  researchers  and  companies  that  have  tried  to 
disrupt  the  worm’s  “phone  home”  ability.  Other  researchers,  mean¬ 
while,  exploited  a  Conficker  flaw  to  create  a  scanner  that  quickly 
detected  infected  PCs.  The  beginning  of  the  bad  news  to  Conficker’s 
makers  was  in  January,  Huger  says,  when  the  worm’s  profile  soared 
as  it  infected  millions  of  Windows  PCs.  “The  distribution  is  what 
got  everyone’s  attention  because  it  got  so  big  in  such  a  short  time,” 
Huger  says.  “And  the  fact  that  it  was  exceptionally  well  written,  that 
was  intriguing  to  [security]  researchers.” 

Vincent  Weafer,  another  Symantec  security  response  executive, 
puts  it  succinctly:  “In  reality,  the  author  or  authors  probably  didn’t 
intend  for  this  malware  to  get  as  much  attention  as  it  has,”  he  says. 
“Most  malware  these  days  is  designed  to  be  used  for  some  type  of 
criminal  monetary  gain,  and  conducting  such  criminal  acts  typi¬ 
cally  requires  stealth  measures  to  be  successful.” 

Huger  said  this  may  just  fade  into  the  background  noise  of  bot 
networks.  It’s  a  large  botnet,  he  says,  but  not  the  largest. 

How  large  is  still  unknown.  Although  estimates  of  the  size  of 
the  Conficker-infected  pool  have  ranged  from  1  million  to  12  million, 
it  has  been  difficult  to  pin  down  the  number  of  computers  infected 
with  Conficker.c,  the  newest  variant  and  the  one  that  sparked  the 
massive  coverage  leading  up  to  April  1. 

It  was  the  April  1  date  hard-coded  into  Conficker.c  that  had 
some  people  on  edge;  that  was  when  Conficker.c  would  be  told  to 
begin  using  a  new  method  of  reaching  its  command-and-control 
servers.  -Gregg  Keizer 


EMERGENCY  RESPONSE 

Quake  Has  Italians  Reaching  to  YouTube,  Mobile  Services 


Seismologist  predicted 
quake  on  YouTube  a  week 
before  it  happened 

An  earthquake  in  the  Italian  region  of 
Abruzzo  last  month  had  victims  and 
concerned  observers  communicat¬ 
ing  through  emergency  use  of  mobile 
devices  and  reaching  out  for  help  and  informa¬ 


tion  via  Facebook  and  YouTube. 

The  quake  left  more  than  100,000  people 
homeless  and  killed  hundreds  of  people. 

One  seismologist,  Giampaolo  Giuliani,  had 
even  posted  a  YouTube  video-warning  last 
week  predicting  that  an  earthquake  of  at  least 
a  4.0  magnitude  was  imminent. 

Response  to  the  video  is  causing  contro¬ 
versy  because  authorities  had 
told  Giuliani  to  take  down  his 
posting  and  chastised  him  for 
spreading  panic. 

Even  Prime  Minister  Silvio 
Berlusconi  weighed  in,  saying 
that  “earthquakes  can’t  be 
predicted.” 

However,  Giuliani  said 
that  earthquakes  can  be  pre¬ 
dicted,  specifying  that  smaller 
shocks  felt  recently  and  a 
buildup  of  radon  along  fault 
lines  indicated  an  imminent 
earthquake. 

The  6.3  magnitude  earth¬ 


quake  hit  L’Aquila,  the  region’s  capital,  at  3:32 
a.m.  local  time  April  7,  injuring  about  1,500 
people,  according  to  reports. 

The  quake  was  felt  strongly  as  far  away  as 
Rome,  about  70  miles  from  the  epicenter. 

In  the  panic  after  the  quake  hit,  authori¬ 
ties  asked  local  inhabitants  to  avoid  using  cell 
phones  when  possible. 

Nevertheless,  one  student,  trapped  under 
the  wreckage  of  university  housing  in  Aquila, 
used  his  cell  phone  to  give  directions  to  rescue 
workers,  helping  them  locate  him  and  dig 
him  out. 

A  Facebook  network  called  Aiutiamo 
I’Abruzzo  (Let’s  Help  Abruzzo)  was  formed 
to  share  emergency  phone  numbers  and 
information  about  where  to  give  blood  and  get 
medical  help. 

About  90  Facebook  groups  dedicated  to 
discussing  measures  that  could  have  been 
taken  to  prepare  for  the  earthquake  have  also 
been  formed. 

-Giulia  Pisino  and  Francesca  Papapietro 


18  www.csoonline.com  May  2009 


Photo  by  AP/Wide  World  Photos 


Verbatim... 


“I  THINK 

IT'S  REASONABLE  FOR 
CRITICAL  INFRASTRUCTURE 
AND  GOVERNMENT  CONTRACTORS, 
BUT  IF  IT  EXTENDS  INTO  GENERAL 
BUSINESS,  IT’S  DOOMED  TO  FAILURE.” 

-Security  consultant  Rich  Mogull  on  a  U.S.  Senate 
bill  that  would  extend  federal  cybersecurity 
enforcement  into  the  private  sector 


“COMPANIES 
MAYTHINKTHATTHEBAD 
ECONOMY  MAKES  ITAGOODTIME 
TO  GET  RID  OF  BAD  EGGS  OR  DIFFICULT 
EMPLOYEES.  BUT  ONCE  THEY'RE  NO  LONGER 
PART  OF  THE  ORGANIZATION,  YOU  DON’T  HAVE 
THE  ABILITY  TO  MONITORTHEIR  BEHAVIOR 
N EARLY  AS  WELL  OR  TO  DO  INTERVENTION.” 

-Marisa  Randazzo,  a  former  chief  psychologist  for  the 
U.S.  Secret  Service  and  president  of  Threat 
Assessment  Resources  International 


“ALL 
OFTHEIR 
WORK  HAS GONE 
FOR  NAUGHT.” 

-Alfred  Huger,  vice 
president  of  development 
for  Symantec’s  security 
response  team,  referring 
to  the  hackers  who  created 
the  Conficker  worm.  The 
worm  failed  to  unleash 
the  April  lhavocthat 
had  been  predicted. 


Fraudsters  are  investing  more  in  R&D  every  day. 
Can  you  say  the  same  about  your  security  vendor? 


The  Security  Division  of  EMC 

:  '  .. 

:  ©2009  RSA  Security  Inc. 


DIGITAL  FORENSICS 

5  Ways  to  Survive  a  Data  Breach  Investigation 


ecurity  experts  say  it  all  the  time:  If  a 
company  thinks  it  has  suffered  a  data 
security  breach,  the  key  to  getting  at  the 
truth  unscathed  is  to  have  a  response 
plan  in  place  for  what  needs  to  be  done  and 
who  needs  to  be  in  charge  of  certain  tasks. 

And,  as  SANS  Institute  instructor  Lenny  Zeltser 
advised  in  “How  to  Respond  to  an  Unexpected 
IT  Security  Incident”  at  www.csoonline.com/ 
article/484291,  “ask  lots  and  lots  of  questions” 
before  making  rash  decisions. 

Unfortunately,  many  companies  still  fail 
to  heed  that  advice  and  end  up  in  a  lot  more 
trouble  than  was  necessary. 

Robert  Fitzgerald,  a  Boston-based  digital 
forensics  investigator  and  president  of  The 
Lorenzi  Group,  finds  that  at  many  of  the  com¬ 
panies  he  investigates,  the  words  of  Franklin  D. 
Roosevelt  ring  true:  “The  only  thing  [compa¬ 
nies]  have  to  fear  is  fear  itself.” 

“People  get  nervous  when  we  come  in 
and  it’s  a  shame  because  our  job  isn’t  to 
tear  through  and  tell  you  how  bad  you  are,” 
Fitzgerald  says.  “We’re  not  law  enforcement.” 

But  people  get  nervous  anyway.  So  they 
do  stupid  things  on  purpose  or  by  accident 
that  lands  the  company  in  a  heap  of  trouble. 
People  who  fear  lawsuits  or  have  something  to 
hide  tamper  with  evidence  (Fitzgerald  calls  it 
“spoliation”)  in  ways  that  may  seem  clever- 
overwriting  files,  reinstalling  the  operating 


system,  loading  a  bunch  of  other  data  on  discs 
and  drives  and  them  deleting  them-but  are 
easily  uncovered  during  an  investigation. 

To  help  companies  avoid  such  madness, 
Fitzgerald  recently  sat  down  with  us  to  outline 
five  steps  that  can  be  taken  to  ensure  a  smooth 
investigation  that  ends  with  the  company’s 
reputation  intact. 

1.  Have  a  response  that’s  built  for 
speed.  When  a  company  brings  in  Fitzgerald’s 
crew,  the  goal  is  to  move  with  all  deliberate 
speed  so  the  truth  can  be  uncovered  and 
corrective  measures  can  be  made.  Nothing 
gets  in  the  way  of  that  like  a  company  that 
has  nothing  ready  when  the  investigators 
arrive.  To  that  end,  it’s  important  straightaway 
to  have  such  items  on  hand  as  the  employee 
manual,  rules  for  who  can  do  what  on  work 
machines  and  information  on  office  and 
personal  e-mails,  and  computer  software  and 
hardware.  “Data  is  fluid;  it  moves  quickly,  so 
we  move  quickly,”  he  says.  “If  you  call  us  this 
morning,  we  want  to  be  there  this  morning. 

The  longer  you  wait,  the  more  likely  evidence 
will  get  spoiled.  When  we  make  suggestions,  in 
the  presence  of  legal  counsel,  [they’ll  be  what] 
we  think  is  best  for  you.” 

2.  Don’t  touch  anything.  In  that  moment 
of  panic  where  the  company  suspects  foul  play, 
the  urge  to  tamper  with  data  can  be  irresist¬ 
ible.  Sometimes  data  is  spoiled  by  a  malicious 


insider  with  something  to  hide.  But  many 
times,  the  culprit  is  an  honest  person  who  acci¬ 
dentally  destroys  data  in  a  panic  or  does  the 
wrong  thing  before  they  realize  what  they’re 
doing  because  the  fear  has  taken  over. 

Whatever  the  motive,  Fitzgerald  says  the 
investigators  will  easily  uncover  what  you’ve 
done.  “It’s  not  worth  it.  You  risk  jail  time  if  we 
discover  you  tried  to  destroy  data,”  he  says. 
“Regardless  of  whether  you  did  anything  wrong 
or  not,  if  you  tamper  with  data  you’re  going  to 
be  in  trouble.” 

3.  Bring  in  the  lawyers.  Company  execu¬ 
tives  are  often  slow  to  bring  in  legal  counsel. 
That’s  unfortunate,  Fitzgerald  says,  because 
the  lawyers  are  on  your  side  and  can  help 
you  construct  a  sound  game  plan  to  keep  the 
company  out  of  trouble. 

4.  Decide  if  you  want  a  “loud”  or 
“silent”  probe.  Companies  should  decide  at 
the  beginning  if  they  want  investigators  to 
come  in  with  a  bang  or  a  whisper.  The  right 
approach  depends  on  what  a  company  thinks 
it’s  up  against. 

5.  Educate  the  employees.  Fitzgerald 

says  education  is  the  best  way  to  ensure 
people  like  him  aren’t  needed  in  the  first  place. 
“Educating  employees  is  so  important,”  he  says. 
“If  they  know  what  they  can  and  can’t  do,  and 
all  the  tech  policies  are  in  place,  the  potential 
for  an  incident  drops  dramatically.”  - B.B . 


20  www.csoonline.com  May  2009 


Photo  by  iStockphoto.com 


120,000  phishing 
sites  shut  down. 


1000+  technology 
integration  partners 


Chosen  by  3/4  of 
the  Fortune  100. 


For  the  ultimate  defense  against  online  fraud: 

Find  security  in  RSA. 


By  Mary  Bran  del 


VMS:  That  Vision  Thing 

Video  management  software  helps  with  efficient  monitoring, 
transmission  and  storage  of  IP  surveillance  video 


Video  management  software 
(VMS)  allows  you  to  record  and 
view  live  video  from  multiple 
surveillance  cameras— either 
IP-based  or  analog  cameras 
with  an  encoder— monitor  alarms,  control 
cameras  and  retrieve  recordings  from  an 
archive.  Because  they  are  IP-based,  VMS 
systems  are  more  expandable  and  flexible 
than  DVR-based  systems,  and  employees 
can  control  the  software  from  anywhere 
on  the  network.  Surveillance  and  security 
teams  can  use  the  software  for  live  moni¬ 
toring,  as  well  as  investigative  and  forensic 
purposes,  using  archived  footage. 

Users  have  three  form  factors  from 
which  to  choose  for  managing  IP  video: 
software-only,  hardware/software  appli¬ 
ances  (sometimes  referred  to  as  network 
video  recorders,  or  NVRs)  or  a  hybrid  DVR, 
which  is  a  DVR  with  additional  software  to 
manage  IP  equipment. 

Because  of  the  economic  downturn, 
the  VMS  market  will  see  slower  growth  in 
2009  than  in  previous  years,  with  a  forecast 
of  29  percent  versus  more  than  40  percent, 
according  to  IMS  Research. 

Evaluation  Criteria 

VMS  systems  range  from  the  basic  to  the 
sophisticated,  with  major  differences 
including  reliability  features  and  number 
of  cameras  and  locations  supported.  Here 
is  a  sampling  of  features  to  consider: 

22  www.csoonline.com  May  2009 


■  Specific  options  for  different  verticals, 
including  retail,  banking,  transporta¬ 
tion,  etc.; 

■  Video  analytics,  such  as  license-plate  or 
facial  recognition; 

■  Integration  with  third-party  systems, 
such  as  access  control,  building 
automation,  alarm  management,  video 
analytics  and  more; 


■  Motion  detection; 

■  Customizable,  resizable  viewing  panes; 

■  User  interface  features  that  include 
hot-spot  windows,  color-indicated 
activity,  instant  replay,  quick  switching 
between  cameras,  etc.; 

■  “Privacy  zones”  to  protect  sensitive 
areas  from  being  monitored; 

■  Creation  of  customized  rules.  For 

Illustration  by  Steve  Traynor 


ASIS  Solutions  Can  Help  You  Rest  Easier 


Today's  security  challenges  weigh  on  your  mind  every  hour  of  every  day. 

But  knowing  that  you’re  up-to-date  on  the  very  latest  industry  innovations  and  education  can  help  you 
rest  a  little  easier.  At  ASIS  2009  you’ll  uncover  the  training,  knowledge,  and  solutions  needed  to  face 
mission-critical  security  scenarios  with  confidence — allowing  you  to  sleep  sounder  at  night. 


With  today’s  most  sought-out  speakers,  a  top-notch  education  program  vetted  by  real-world 
practitioners,  unlimited  networking  opportunities,  a  vast  Exhibit  Hall  filled  with  thousands  of 
innovative  solutions,  and  more,  it’s  no  wonder  that  ASIS  2009  is  the  world’s  leading  security  event. 
This  year’s  event  features  more  than  175  educational  sessions  addressing  everything  from  best 
practices  to  systems  integration  to  dealing  with  emerging  threats.  Attend  and  you’ll  discover  practical 
knowledge  and  valuable  insight  around  every  corner. 


If  you  can  only  go  to  one  security  event  this  year,  make  it  ASIS  2009 — the  most  comprehensive 
security  conference  worldwide.  For  more  information  or  to  register,  visit  www.asisonline.org/asis2009 
or  call  +1.703.519.6200. 


BEN  STEIN 

Actor,  Author,  Economist, 
Pop  Culture  Icon 


P.  J.  O’ROURKE 

Political  Satirist 


CONDOLEEZZA  RICE 

Secretary  of  State 
(2005-2009) 


MICHAEL JOSEPHSON 

Renowned  Ethicist 


ERNATJONAL 

55th  Annual  Seminar  and  Exhibits 

September  21-24,  2009  |  Anaheim,  CA 
www.  asisonline.  org/asis2009 


Introducing  ASIS  Accolades — a  new 
awards  program  to  recognize  the  security 
industry’s  best  and  brightest! 


Security’s  Best 


>>  TOOLBOX 


instance,  if  a  particular  door  opens, 
the  camera  begins  recording  and  even 
activates  an  alarm  or  sends  an  alert; 

■  Camera  control  (pan,  tilt,  zoom); 

■  View  multiple  video  channels  at  once; 

■  Multichannel  playback,  which  allows 
users  to  play  recorded  video  from  sev¬ 
eral  cameras  simultaneously— useful  if 
tracking  a  suspect  through  hallways; 

■  Multiple  search  devices,  including 
fast-forward,  reverse,  thumb-nail  view, 
time  line  bars,  bookmarking,  etc.; 

■  Secure  export  of  material  evidence; 

■  Fail-over  capability  that  enables  con¬ 
tinued  recording  if  the  primary  server 
goes  down. 

Software-Only  Versus 
Appliance 

Users  can  choose  between  software  that 
they  load,  configure  and  manage  on  a  server 
of  their  choosing  or  a  hardware  appliance 
that’s  preloaded  with  software.  The  benefits 
of  appliances  are  reduced  setup  and  instal¬ 
lation  complexity,  while  disadvantages  are 
less  flexibility,  fewer  customization  options 
and  more  difficult  integration  with  third- 
party  systems.  According  to  Simon  Harris, 
senior  research  director  at  IMS  Research, 
more  advanced  users  will  typically  opt  for 
software-only  solutions,  while  those  that 
aren’t  comfortable  doing  setup  and  config¬ 
uration  will  choose  an  appliance,  or  what 
IMS  calls  a  proprietary  system. 

“If  you  have  only  a  small  number  of  cam¬ 
eras  and  don’t  intend  to  integrate  with  your 
access  control  or  building  management 
system,  that  lends  itself  to  proprietary  sys¬ 
tems,”  Harris  says.  “As  they  get  bigger  and 
more  complex,  that’s  when  they  go  for  open 
platform.” 

This  is  what  Jeff  Hinckley,  a  systems 
integrator  at  Norris,  ran  into  when  he 
designed  and  implemented  a  video  surveil¬ 
lance  network  for  the  cities  of  Lewiston  and 
Auburn  in  Maine.  The  schools  were  work¬ 
ing  in  conjunction  with  Lewiston-Auburn 
911,  an  organization  created  by  Auburn  and 
Lewiston  to  provide  dispatch  and  radio 
communications  to  first  responders.  The 
school  system  had  obtained  federal  fund¬ 
ing  for  a  surveillance  system  to  help  with 
increasing  criminal  mischief. 

The  surveillance  system  was  designed 
to  work  with  a  large-scale,  4.9  GHz  wire¬ 
less  mesh  network  designed  by  Norris  and 


deployed  throughout  both  cities.  The  net¬ 
work  was  intended  for  emergency  access 
to  municipal  security  systems  as  well  as  the 
deployment  of  remote  cameras. 

Early  in  the  endeavor,  some  of  the 
Auburn  schools  were  equipped  with  analog 
cameras  and  DVRs  from  Pelco,  as  well  as 
some  IP  cameras  managed  by  a  Pelco  video 
management  appliance.  But  as  the  sur¬ 
veillance  system  was  expanded,  it  became 
increasingly  desirable  to  use  high-resolu- 
tion  megapixel  cameras  in  some  areas  and 
to  use  a  more  unified,  single-application 
approach  to  accessing  both  video  and  other 
security-based  services. 

Using  encoders,  Norris  tied  the  ana¬ 
log  cameras  into  the  schools’  fiber-based 
network,  added  megapixel  cameras  and 
replaced  the  Pelco  VMS  with  software  from 
Exacq  Technologies.  Exacq’s  system,  which 
runs  on  a  Windows  or  Linux  server,  is  able 


to  support  all  the  cameras  and  can  integrate 
with  access  control  systems. 

VMS  Versus  Hybrid  DVR 

Some  DVR  vendors  have  begun  selling  soft¬ 
ware  that  enables  their  DVRs  to  support 
both  IP  cameras  and  directly  connected  ana¬ 
log  cameras.  VMS-based  systems  can  also 
support  analog  cameras,  but  they  require 
the  use  of  an  encoder  to  translate  the  signal 
to  digital.  With  hybrid  DVRs,  both  types  of 
cameras  are  supported  directly. 

The  hybrid  option  will  be  particularly 
attractive  to  companies  during  the  eco¬ 
nomic  downturn,  when  many  end  users 
will  be  motivated  to  make  modest,  incre¬ 
mental  upgrades  to  IP,  while  staying  with 
their  existing  DVR  providers,  says  John 
Honovich,  founder  of  IP  Video  Market  Info, 
a  video  surveillance  information  portal.  “In 
the  past,  if  you  wanted  to  add  megapixel  or 
other  IP  cameras  to  your  surveillance  sys¬ 
tem,  you  were  forced  to  go  to  an  IP-based 
VMS  solution,”  he  says.  “That  has  become 
much  more  complicated  now  that  DVR  ven¬ 
dors  are  rolling  out  increased  IP  support.” 

DVR  vendors  still  don’t  support  the 
breadth  of  cameras  that  VMS-based  sys¬ 


tems  do,  Honovich  says.  They  might  sup¬ 
port  two  to  five  manufacturers  versus 
leading  VMS  vendors,  which  support  up 
to  50.  “The  DVR  folks  have  a  ways  to  go  to 
catch  up,”  he  says.  At  the  same  time,  over 
the  next  18  months,  the  distinction  between 
these  manufacturers  will  largely  disap¬ 
pear,  Honovich  says.  He  sees  DVR  compa¬ 
nies  broadening  their  IP  camera  support 
and  selling  software-only  systems,  either 
independently  or  through  acquisitions, 
while  VMS  vendors  will  offer  DVR/NVR 
appliances  to  appeal  to  organizations  with 
smaller  camera  deployments. 

Already,  he  says,  hybrid  DVR  vendors 
offer  enterprise-level  functionality,  such 
as  centralized  management  and  third- 
party  system  support  that,  in  some  cases, 
is  superior  to  VMS  vendors,  especially  in 
the  area  of  access  control.  “IP  players  will 
say  they’re  more  open,  but  I’d  ask  them  to 


prove  that,”  he  says. 

Dos  and  Don’ts 

DO  investigate  the  level  of  support  for 
third-party  systems.  VMS  systems  can 
integrate  with  a  wide  range  of  third-party 
systems,  including  access  control,  video 
analytics,  building  automation  and  alarm 
management  systems.  Companies  should 
investigate  not  just  whether  the  VMS 
integrates  with  the  systems  it  needs,  but 
also  the  level  of  integration,  which  varies 
widely,  says  Brian  Carle,  product  manager 
at  Salient  Systems,  in  a  blog  entry  on  the  IP 
Video  Market  portal.  At  a  basic  level,  the 
VMS  can  receive  and  act  on  alarm  events 
from  the  third-party  system,  he  says.  For 
example,  when  a  person  enters  a  building, 
an  access  control  system  could  trigger  the 
video  management  system  to  verify  that  the 
image  of  the  person  captured  from  video 
matches  the  ID  card/system.  At  a  more 
sophisticated  level,  he  says,  you’d  be  able  to 
configure  the  third-party  system  through 
the  VMS  interface. 

DON’T  get  stuck  on  a  particular 
vendor  until  you  know  which  cameras 
they  support.  Whereas  DVRs  support 


“As  they  get  bigger  and  more  complex,  that’s 
when  they  go  for  open  platform.” 

-SIMON  HARRIS,  ANALYST,  IMS  RESEARCH 


24  www.csoonline.com  May  2009 


almost  any  analog  camera,  such  is  not  the 
case  with  IP  video  software,  which  needs 
specific  drivers  for  each  camera  type. 
“Some  support  only  one  brand,  while  oth¬ 
ers  support  500,”  Honovich  says.  “You  can 
decide  you  really  want  to  use  a  particular  IP 
camera  but  then  realize  it’s  only  supported 
by  five  software  vendors  in  the  market.” 

DON’T  forget  user  authentication 
and  authorization.  A  big  benefit  of  VMS 
systems  is  that  you  can  centrally  manage 
an  unlimited  number  of  devices.  But  you 
also  need  to  consider  how  you’re  going  to 
centrally  manage  the  users  accessing  the 
system,  especially  if  they’re  geographically 
dispersed.  One  way  is  to  ensure  the  sys¬ 
tem  integrates  with  the  directory  services 
you’re  already  using,  such  as  Microsoft 
Active  Directory  Support.  “If  you’re  already 
using  that  for  PCs,  you  can  integrate  your 
video  surveillance  system  with  that  so 
they’re  both  using  the  same  user  name  and 
password,”  Honovich  says.  Plus,  you  can 
keep  logs  of  video-watching  behavior  in 
a  database. 

In  the  bad  old  days,  says  Honovich,  you 
would  have  to  set  up  a  unique  user  name 
and  password  for  every  DVR  or  video  man¬ 
agement  system,  which  created  a  nightmare 
scenario  of  people  using  weak  default  pass¬ 
words  like  “admin.”  “Anyone  could  get  in 
at  any  given  time,”  Honovich  says.  “That’s 
why  centralized  management  is  an  impor¬ 
tant  element,  given  the  history  of  poor  user 
access  management.” 

DO  look  for  an  intuitive  user  inter¬ 
face.  Security  personnel  can  turn  over 
quickly,  so  it’s  important  to  have  a  system 
on  which  you  can  train  people  quickly  and 
easily.  Not  to  mention,  many  are  moving 
from  the  world  of  analog  systems,  so  the 
transition  to  a  computer  interface  needs  to 
be  considered.  “Security  can  be  a  fluid  pro¬ 
fession,  so  you  don’t  want  to  invest  a  lot  of 
training,  which  makes  an  intuitive  interface 
paramount,”  Honovich  says. 

Often,  Carle  warns,  applications  are 
designed  with  functions  buried  under 
menus,  and  it  takes  many  mouse  clicks  to 
perform  a  function.  “Ease  of  use  and  train¬ 
ing  are  a  primary  concern  for  organizations 
that  have  guards  monitoring  the  video,” 
he  says. 

The  best  thing  to  do  is  try  the  product  in 
an  existing  environment  to  see  what  users 
do  and  don’t  like,  says  Kani  Neves,  execu- 


THE  EYES  HAVE  IT 

These  are  the  top  worldwide 
vendors  of  video  manage¬ 
ment  software,  in  descend¬ 
ing  order  of  market  share, 
according  to  IMS  Research. 

>  Milestone,  at  19.5% 

>  Genetec 

■  On-Net  Surveillance 
Systems  (OnSSI) 

■  SeeTec  Communications 

■  Mirasys 


five  director  of  the  Sherwood  Valley  Gam¬ 
ing  Commission.  That’s  what  his  group  did 
before  choosing  a  system  from  Genetec  for 
the  Black  Bart  Casino  in  Northern  Califor¬ 
nia.  “We  visited  other  facilities  and  envi¬ 
ronments  to  see  what  we  thought  would 
apply  to  us  and  not,”  he  says. 

DO  consider  resource-saving  fea¬ 
tures.  Some  features  can  help  minimize 
time  and  staffing  levels,  including  alarm  cli¬ 
ents,  mapping  clients  and  smart  searching. 
Alarm  clients  display  a  blank  video  screen 
until  activity  occurs  on  associated  cameras. 
Only  video  triggered  by  motion  or  alarm 
will  display,  “which  prevents  the  operator 
from  being  bombarded  with  potentially 
irrelevant  video  information,”  Carle  says. 
This  can  cut  down  on  the  number  of  person¬ 
nel  you  need.  Some  alarm  clients  include  a 
history  list  of  events,  so  an  operator  can 
click  on  an  item  in  the  list  and  quickly  play 
back  video  of  the  event,  he  says. 

Smart  search,  Carle  explains,  speeds 
investigations  because  you  can  specify  par¬ 
ticular  areas  in  the  camera’s  field  of  view,  as 
well  as  a  specific  time  frame,  and  capture 
only  recordings  where  motion  is  detected 
in  that  area  in  that  time  period.  Systems  dif¬ 
fer,  he  says,  in  terms  of  the  speed  of  these 
searches,  depending  on  whether  it  records 
metadata  along  with  the  video. 

Meanwhile,  a  mapping  feature  allows 
administrators  to  import  an  image  file  and 
overlay  icons  representing  cameras  on  the 
map,  Carle  explains.  “This  will  show  an 
operator  exactly  where  a  camera  is  in  the 
facility,  making  it  much  easier  to  learn  the 
system  and  track  activity  across  cameras.” 

DO  understand  cost  structures. 


Many  vendors  calculate  cost  by  charging  a 
certain  amount  for  each  video  device  used 
with  the  system,  plus  an  upgrade  subscrip¬ 
tion  fee,  which  entitles  the  user  to  down¬ 
load  new  versions  of  the  software.  Carle 
explains.  Some  also  charge  a  server  fee, 
either  as  a  site  license  or  for  each  server  on 
which  the  software  is  installed.  Per-device 
costs  vary  widely,  mainly  depending  on  the 
system’s  level  of  sophistication.  Very  high- 
end  systems  can  be  over  $1,000  per  camera, 
while  an  enterprise-level,  scalable  system 
can  be  $200  to  $500  per  camera,  Carle  says. 

DON’T  forget  to  consider  storage. 
Especially  with  higher  resolution  cam¬ 
eras,  video  surveillance  can  start  to  take  a 
big  bite  out  of  storage.  Many  vendors  offer 
various  techniques  to  keep  that  to  a  mini¬ 
mum.  For  instance,  the  Genetec  system  that 
Neves  selected  can  change  video  resolution 
from  4  CIF  to  2  CIF  or  less.  “The  software 
can  manipulate  what  the  camera  sees  and 
records,  how  much  it  records  and  with  how 
much  clarity,”  he  says. 

Another  way  that  Neves  minimizes 
storage  requirements  is  through  Genetec’s 
motion  detection  capability,  which  can  be 
applied  to  any  camera  even  if  the  camera 
itself  does  not  have  the  ability  to  sense  light. 
The  feature  enables  the  casino  to  record 
only  when  tables  are  in  use,  to  meet  the  fed¬ 
eral  requirement  of  24/7  recording  for  active 
tables.  In  all,  there  are  100  tables,  and  if  just 
50  are  being  used  at  a  time,  only  the  cam¬ 
eras  focused  on  those  tables  need  to  record 
video.  “Anytime  a  customer  or  dealer  enters 
the  frame,  the  system  automatically  starts 
recording  five  minutes  prior  to  that,”  Neves 
says.  “And  you  can  tell  it  to  stop  recording 
once  motion  has  left  the  frame.  It  allows  us 
the  freedom  to  utilize  cameras  when  we 
need  them.” 

Plus,  if  certain  areas  of  a  casino  are 
only  accessible  at  certain  times,  he  can  use 
motion  detection  on  cameras  monitoring 
the  hallways  and  doors  in  those  areas  to 
check  for  abnormal  access.  “With  500  to 
600  cameras,  we  don’t  have  the  manpower 
to  hire  the  people  it  would  take  to  see  every¬ 
thing  going  on,”  he  says.  “This  enables  us  to 
minimize  our  staffing  while  increasing  our 
security  level.”  ■ 


Mary  Brandel  is  a  freelance  writer  based  out¬ 
side  Boston.  Send  feedback  to  Editor  Derek 
Slater  at  dslater@cxo.com. 


May  2009  www.csoonline.com  25 


COVER  STORY  I  LEADERSHIP 


Leadership  in 
Trying  Times 


Our  2009  CSO  Compass  Award  winners  come 
from  disparate  backgrounds  and  careers. 

But  these  security  leaders  are  all  working  to 
make  security  a  wise  business  investment 
amid  economic  chaos,  by  joan  ooodchild 


John  Martinicky  has  seen  good  years  and  bad  years  in  his  time  with  Navistar  Interna¬ 
tional,  a  Warrenville,  Ill. -based  manufacturer  of  heavy  trucks  and  engines.  Martinicky 
has  been  with  the  company  for  more  than  30  years  and  has  served  in  the  security  depart¬ 
ment  since  1982. 

Today,  as  the  director  of  global  security  for  Navistar,  Martinicky  says  his  department 
is  more  crucial  than  ever.  Security  incidents  at  Navistar— everything  from  car  break-ins 
onsite  to  data  theft  reports— started  trending  up  about  eight  months  ago,  and  he  is  busier 
than  ever  lately. 

It’s  not  a  new  experience  for  Martinicky.  The  more  things  change,  the  more  they  stay 
the  same.  When  it  comes  to  security’s  role,  the  2009  CSO  Compass  Award  winner  sees  a 
lot  of  similarities  between  recessions  past  and  the  current  economic  crisis. 

“I  see  a  lot  of  parallels  in  that  in  desperate  times,  people  will  do  desperate  things,”  he 
says.  “In  difficult  times,  security  is  needed  more.  This  is  where  we  see  an  increase  in 
incidents  across  the  board.”  >  > 


Photo  by  Bob  Stefko 


May  2009  www.csoonline.com  27 


COVER  STORY  I  LEADERSHIP 


These  are  trying  times.  To  say  that 
budgets  are  tight  would  be  a  severe  under¬ 
statement  when,  in  fact,  many  businesses 
are  struggling  simply  to  survive  in  this 
economy.  Current  conditions  make  it  even 
harder  for  security,  which  in  so  many 
companies  is  still  seen  as  an  unfortunate 
expense  mandated  by  government  regula¬ 
tions.  But,  Martinicky  says,  Navistar  has 
to  be  even  more  on  guard  than  ever  in  this 
economy,  and  security  should  be  a  priority. 

“I  think  we  are  kind  of  countercyclical 
to  the  economy.  We  bring  value  and  are 
involved,  whether  it  is  cars  being  broken 
into  in  the  parking  lot  or  internal  fraud, 
substance  abuse,  leaks  of  confidential 
information.  Everyone  understands  what 
their  responsibilities  are  if  we  have  to  do  an 
investigation.  I  see  that  continuing  as  the 
economy  gets  worse.  “ 


Security  as  a 
Business  Driver 

Amid  this  recession,  Baker  Hughes  Inc. 
CSO  Russ  Cancilla  has  been  steadily  mak¬ 
ing  changes  to  his  security  program.  And 
even  as  many  budgets  are  being  slashed, 
he  has  a  vision  for  security  as  a  business 
enabler.  Cancilla,  who  has  been  with  the 
oilfield  services  provider  for  three  years, 
has  transformed  the  company’s  security 
operations  from  one  that  was  fragmented 
to  one  with  a  converged  approach  under 
his  leadership.  The  person  who  nominated 
Cancilla  for  a  2009  Compass  Award  says  he 
treats  security  not  as  a  necessary  evil,  but  as 
a  place  for  opportunity. 

“We  have  this  philosophy:  We  have  to  be 
seen  as  business  people  who  happen  to  be 
experts  in  security,”  says  Cancilla.  “If  we 
want  to  be  engaged  by  the  business  and 


have  a  seat  at  their  table,  we  have  to  speak 
their  language  and  demonstrate  to  them 
that  we  understand  that  security  supports, 
enables  and  reduces  the  risk  and  helps 
them  generate  revenue.  We  demonstrate 
that  we  know  the  principles  of  integrating 
security  with  the  business  by  showing  a 
return  on  investment  in  us.” 

For  Cancilla,  one  of  his  most  crucial 
challenges  is  finding  ROI  in  security 
through  cost  avoidance. 

“For  example,  say  our  company  is  look¬ 
ing  at  a  contract  to  work  for  Exxon  Mobil,” 
Cancilla  explains.  “They  have  asked  us  to 
provide  the  services  that  Baker  Hughes 
provides.  Historically  within  the  com¬ 
pany,  security  would  not  be  engaged  in  that 
conversation  when  the  tender  was  being 
considered.” 

As  a  result,  security  was  seen  as  a  cost 


28  www.csoonline.com  May  2009 


In-Q-Tel’s  Dan  Geer:  “The  challenge  continues  to  be  the  rate  of 
change.” 


eroder,  according  to  Cancilla.  After 
the  contract  was  signed,  execu¬ 
tives  would  then  alert  security  to 
their  need  for  a  program  in  a  new 
region,  and  only  then  did  secu¬ 
rity  enter  the  picture  to  provide  an 
idea  of  how  much  security  opera¬ 
tions  would  cost.  That  has  changed 
under  Cancilla. 

“Now,  we’ve  front-loaded  our  esti¬ 
mation  into  our  business  economic 
model,  and  we  look  at  the  security 
situation  ahead  of  time  and  say: 

‘This  is  what  we  think  it  will  cost  to 
manage  the  security  in  this  location.’ 

The  business  factors  those  costs  in 
so  when  the  contract  is  negotiated, 
security  costs  are  considered  and  it 
isn’t  a  matter  of  security  costs  erod¬ 
ing  profits  on  the  back  end.” 

According  to  Cancilla’s  nomi¬ 
nation,  he  goes  beyond  mere  cost 
avoidance.  He  recently  found  new 
revenue  streams  for  Baker  Hughes 
by  investigating  the  security  in  the  Iraqi 
region  of  Kurdistan.  All  of  Iraq  had  been 
considered  too  risky  for  projects,  but 
Cancilla,  after  lengthy  research  and  travel 
assessments,  concluded  Kurdistan  was  a 
peaceful  region  and  recommended  Baker 
Hughes  remove  Kurdistan  from  the  off- 
limits  list. 

“Our  group  understands  that  Baker 
Hughes  is  not  a  security  company,”  says 
Cancilla.  “Our  aspiration  is  not  to  have  a 
best-in-class  security  program.  It  is  too 
costly.  Our  goal  is  to  have  best-in- class 
people  who  operate  a  security  program 
that  is  appropriate  to  manage  the  risk  for 
the  business.” 

When  Budgets 
Are  Tight,  Focus 
on  Essentials 

“If  my  CTO  or  CIO  came  to  me  and  said, 
‘You’ve  got  five  million  dollars  to  spend 
this  year,’  I  would  know  exactly  what  I 
want  to  spend  it  on,”  says  Lynda  Fleury, 
CISO  with  Tennessee-based  insurance 
company  Unum. 

Unfortunately,  budget  strains  mean  that 
five  million  is  probably  not  forthcoming— 
to  Fleury  or  to  many  CISOs  and  CSOs  this 
year.  In  a  survey  recently  conducted  by 
CSO,  security  decision  makers  in  over  too 
companies  were  asked  about  their  spend¬ 


ing  plans  for  2009  to  gauge  the  impact  that 
current  economic  conditions  are  having  on 
budgets.  Of  the  159  respondents,  64  per¬ 
cent  indicted  that  the  economy  was  hav¬ 
ing  a  negative  impact  on  security  spending 
and  35  percent  said  security  budgets  would 
decrease  this  year. 

Fleury  casts  no  illusions;  running  an 
infosec  program  is  financially  challenging 
even  in  good  times.  The  thirty-year  security 
veteran  says  she  handles  it  with  creativity, 
and,  like  Cancilla,  by  focusing  on  the  essen¬ 
tials  that  are  necessary  for  business. 

“Being  a  good  corporate  citizen  means 
realizing  that  everybody  is  facing  chal¬ 
lenges  right  now.  I  don’t  want  to  ride  the 
coattails  of  risk  anymore.  I’m  seeking  to  do 
things  that  are  meaningful  to  the  quality  of 
our  program  around  information  security 
and  protecting  out  critical  assets.” 

Fleury’s  priorities  in  2009  include 
investments  in  areas  such  as  event  correla¬ 
tion  for  more  effectiveness  and  efficiency. 
Data  loss  prevention  initiatives  are  also  a 
must  as  customers  get  savvy  about  where 
their  information  is  going  and  being  stored. 
But  the  biggest  beast  to  tackle,  according  to 
Fleury,  is  employee  awareness.  In  her  eyes, 
insider  threats— both  through  intentional 
malice  or  accidental  actions— are  an  infosec 
program’s  weakest  link. 

“The  threat  landscape  changes  every  day. 


The  things  we  see  a  lot  of  now  are 
the  hacks,  the  cyber  threats,  the 
social  engineering,  that  seem  to 
come  in  under  the  radar.  We  are 
looking  at  some  threat,  vulner¬ 
ability  and  incident  correlations 
to  help  us  get  more  proactive.  My 
team  has  done  a  great  job  keeping 
things  at  bay.  But  I  don’t  think  the 
threat  is  going  away.” 

Finding  Security 
Technology  That 
Will  Change 
the  Future 

The  dynamic  threat  landscape  that 
Fleury  and  other  CISOs  struggle 
with  has  been  the  focus  of  Dan 
Geer’s  career. 

“In  information  security  in  par¬ 
ticular,  the  rising  fraction  of  R&D 
that  is  done  by  the  opposition  and 
is  funded  by  the  opposition  by  its 
own  revenue  is  quite  fascinating 
and  makes  things  very  difficult,”  says  Geer. 
“At  the  same  time,  have  we  made  progress? 
Sure.  But  the  challenging  aspect  to  this 
continues  to  be  this  rate  of  change  and  the 
degree  to  which  you  need  to  be  on  your  toes 
all  the  time.” 

Geer  is  an  obvious  choice  for  a  CSO 
Compass  Award.  Known  in  the  industry  as 
“the  dean  of  the  security  deep  thinkers,”  his 
resume  includes  time  as  vice  president  and 
chief  scientist  at  Verdasys,  a  critical  role  in 
Project  Athena  at  MIT  and  a  now-famous 
firing  from  @Stake  for  cowriting  a  paper 
warning  that  a  Microsoft  monoculture 
threatened  national  security. 

These  days,  Geer  is  CISO  with  In-Q- 
Tel,  a  nonprofit  venture  capital  firm  that 
invests  in  security  technology  in  support 
of  the  intelligence  community.  Launched 
in  1999,  In-Q-Tel  has  invested  in  high-tech 
companies  to  equip  organizations  like  the 
CIA  with  the  latest  in  intelligence  tools. 
Among  some  of  the  more  notable  invest¬ 
ments  is  a  technology  created  by  Keyhole, 
then  known  as  Earth  Viewer.  The  company 
was  acquired  by  Google,  and  that  technol¬ 
ogy  is  now  known  as  Google  Earth. 

In-Q-Tel’s  investments  are  strategic,  as 
opposed  to  financial,  according  to  Geer.  It 
is  a  model  that  he  believes  is  easier  in  this 
difficult  economy. 

“What  we  are  looking  for  is  not  all  that 


Photo  left  courtesy  Russ  Cancilla;  top  right  by  Tim  Gray 


May  2009  www.csoonline.com  29 


Unum’s  Lynda  Fleury:  "We 
are  looking  at  threat, 
vulnerability  and  incident 
correlations  to  help  us  get 
more  proactive.” 


COVER  STORY  I  LEADERSHIP 


related  to  how  the  banks  are  doing.  We 
don’t  throw  money  away.  So  if  a  company 
is  just  not  going  to  make  it  because,  for 
whatever  reason,  their  market  is  going  to  be 
delayed  three  years  and  they  won’t  be  there 
by  then,  of  course  we  pay  attention.  It  has 
to  be  a  going  concern  and  something  that 
has  a  commercial  future  irrespective  of  the 
intelligence  community.  But  what  we  try 
and  do  is  make  it  possible  for  them  to  add 
to  their  product  mix  in  a  way  they  might  not 
otherwise  be  able  to  do.  So  I  think  this  is 
actually  a  fabulous  time  to  be  doing  this.  “ 

Collaboration  Leads 
to  Innovation 

Robert  Rodriguez,  like  Geer,  has  taken 
his  long  career  in  security  in  the  nonprofit 
direction.  A  22-year  veteran  of  the  Secret 
Service,  Rodriguez  is  using  his  knowledge 
of  government  culture  to  foster  relation¬ 
ships  between  public,  private  and  govern¬ 
ment  organizations.  As  chairman  of  the 
nonprofit  Security  Innovation  Network, 
Rodriguez’s  goal  is  to  increase  collaboration 
that  will  lead  to  the  innovation  of  security 
technologies  that  maintain  and  protect  our 
nation’s  IT  and  telecommunications  critical 
infrastructures. 

“Sometimes  you  have  to  move  out  of  your 
neighborhood  to  really  see  your  neighbor¬ 
hood.  There  is  another  world  of  innovation 
outside  the  Washington,  D.C.,  Beltway  and 
SInet  (SIN)  is  opening  a  door  of  these  lesser- 
known  solution  providers  to  the  Depart¬ 
ment  of  Defense,  Department  of  Homeland 
Security,  the  National  Security  Agency  and 
other  federal  government  agencies,  along 
with  the  industry  and  investment  markets. 
We  are  trying  to  create  awareness  of  avail¬ 
able  solutions  out  there  that  they  don’t 
know  about.” 

Rodriguez  is  attempting  to  give  small, 
innovative  companies  with  promising  tech¬ 
nology  an  audience  with  decision  makers  in 
government. 

“They  see  the  same,  usual  suspects,  a 
term  they  use  in  expressing  their  desire  to 
reach  outside  their  neighborhood.  A  lot  of 
the  folks  that  apply  for  grants  within  the 
Beltway  understand  the  process,  which  is 
very  complicated,”  says  Rodriguez.  SInet  is 
attempting  to  open  the  door  to  those  small 
companies  in  the  garage  in  Maine  or  Louisi¬ 
ana  that  have  no  clue  as  to  how  the  govern¬ 
ment  operates,  but  would  like  an  opportunity. 


Security  Innovation  Network’s  Robert  Rodriguez: 
“I’m  trying  to  open  the  door  to  small  companies 
that  have  no  clue  how  government  operates.” 

So  in  essence,  it  is  bridging  the  gap  between 
the  Silicon  Valley  and  the  Beltway.  ” 

As  a  nonprofit,  SIN  relies  on  sponsor¬ 
ship.  The  economy  has  strained  efforts  to 
find  backers,  according  to  Rodriguez. 

“Did  I  achieve  the  sponsorship  level 
that  I  wanted  for  this  year?  Yes,  but  I  had 
to  ask  more  people.  I  was  still  able  to  get 
Wells  Fargo,  Intuit,  eBay,  General  Dynam¬ 
ics,  Man  Tech,  Stanford  and  others.  I  also 
opened  it  up  to  emerging  companies  this 
year,”  he  says.  “What  I  hear  from  compa¬ 
nies  is  that  their  travel  and  overall  budget  is 
affected.  But  I’m  also  concerned  about  the 
startups.” 

Measuring  Security’s 
Value  to  Business 

A  lot  has  changed  in  the  20  years  since  Rich 
Pethia  first  took  the  reins  as  director  of 
Carnegie  Mellon  University’s  Computer 
Emergency  Response  Team  (CERT).  CERT 
was  initially  launched  as  the  first  Inter¬ 
net  security  response  organization  and  is 
celebrating  its  20th  anniversary  this  year. 
Pethia  was  there  in  1988,  when  a  graduate 
student  at  Cornell  University  let  loose  the 
first  Internet  worm,  and  CERT  coordinated 
the  effort  to  stop  the  malicious  code. 

“In  those  days,  the  Internet  was  probably 
about  200,000  total  systems  and  almost  all 
of  them  were  here  in  the  U.S.  Most  were  in 
university  research  labs,  some  in  the  gov¬ 
ernment.  A  few  were  in  the  private  sector, 
although  commercial  use  was  not  yet  some¬ 


thing  that  was  done  with  the  Internet.” 

These  days,  CERT— initially  chartered 
as  a  response  center  for  anyone  on  the 
Internet  that  had  security  problems— has 
moved  away  from  that  role  to  offer  more 
support  and  research  to  the  IT  security 
industry.  Through  his  current  work,  Pethia 
sees  the  difficulties  that  many  organiza¬ 
tions  have  implementing  effective  infosec 
practices  because  so  many  are  crafting  their 
programs  with  compliance  as  the  main 
influence.  Many  don’t  understand  how  to 
use  security  practices  in  a  way  that  reduces 
risk,  says  Pethia. 

“In  too  many  cases  we  see  security  pro¬ 
grams  that  are  all  sort  of  check-the-box 
compliant.  The  other  thing  is  we  see  people 
struggle  to  implement  security  practices 
in  a  way  that  integrates  without  other  IT 
management  and  risk  management  and 
continuity  practices  in  the  organization.” 

CERT  recently  released  a  “Resiliency 
Engineering  Framework,”  that  Pethia 
describes  as  a  model  that  helps  organiza¬ 
tions  understand  if  they  are  making  real 
progress  in  risk  management  and  how  to 
measure  that.  However,  measurement  and 
benchmarks  can  be  difficult  in  security, 
admits  Pethia. 

“In  all  cases,  security  is  content  specific. 
The  practices  and  technologies  used  in  an 
organization  have  to  be  tailored  to  an  orga¬ 
nization’s  management  structure  and  the 
way  its  technology  is  structured.  So  I  think 
the  approach  that  does  make  sense  is  for  an 
organization  to  look  at  itself  over  time  and 
see  how  it  improves.” 

Back  at  Navistar,  Martinicky  believes 
measurement  is  essential  for  security  to 
make  its  case  to  the  business.  If  security 
wants  not  only  to  survive,  but  even  thrive 
now,  security  managers  need  to  find  ways  to 
prove  the  worth  of  their  department’s  work. 

“When  I  talk  to  some  of  my  peers  about 
what  is  happening  in  their  companies  and 
if  certain  facilities  are  being  closed,  I  see  it’s 
really  important  to  measure  what  security 
does.  It’s  important  to  show  the  value  and 
look  at  security  from  the  business  per¬ 
spective,  not  just  the  security  perspective. 
I  think  as  long  as  security  can  show  to  the 
business  team  what  their  value  is,  security 
will  be  seen  as  a  partner.”  ■ 


Reach  Senior  Editor  Joan  Goodchild  at 
jgoodchild@cxo.com. 


Photo  left  by  Stan  Kaady;  top  right  courtesy  of  Robert  Rodriguez 


May  2009  www.csoonline.com  31 


COMMUNICATION 


Five  Steps  to  Comm 

value  to  Nonsei 


In  belt-tightening  times,  making  the  case  for  security  investment 
is  more  difficult  than  ever.  Security  Catalyst  founder  Michael 
Santarcangelo  details  five  steps  that  risk  professionals  can  use 
to  communicate  value  effectively,  by  joan  coodchild 


HE  BIGGEST  CHALLENGE  security  teams  face  that  keeps  the  motivation  of  the  audience  in  mind. 


Talking  to  an  executive  is  different  from 


in  their  organization  is  one  of  perception,  accord¬ 


ing  to  Michael  Santarcangelo,  founder  of  Security  talking  to  a  technologist  is  different  from 

Catalyst,  a  New  York-based  consultancy  focused  talking  to  an  end  user,”  he  says.  “If 


on  changing  the  way  people  protect  information.  we  are  going  to  communicate  with 


Santarcangelo,  who  was  recently  a  keynote  someone  in  a  way  that  they  under¬ 
speaker  at  the  CSO  Perspectives  conference,  says  stand  the  value  and  support 

professionals  focused  on  security  are  practiced  what  we  are  asking  for,  we  have 

at  looking  at  risks  and  reducing  them.  Unfortu-  to  know  what  we  are  asking 

nately,  the  rest  of  society  often  doesn’t  see  risks  for.  We  have  to  think  about 

the  same  way,  making  communication  difficult.  what  we  want  them  to  know.” 


“They  lack  relevant  context,”  says  Santarcangelo.  “Security 
people  get  wrapped  up  in  thinking,  ‘The  CFO  wants  an  ROI.  We  2.  Connect 
better  work  on  ROI.’  But  what  the  CFO  is  really  saying  is,  ‘I  don’t  We  connect  to  people  through 


understand  what  you  do,  so  you  have  to  justify  it  to  me.’” 


stories,  according  to  Sant¬ 
arcangelo.  Before  you  make 
your  pitch,  find  something 
in  their  experience  base  that 
you  can  reference  and  that 
your  audience  can  connect  to  and 
understand. 


Santarcangelo  outlined  his  strategies  for  making  the  case  for 
security  investments  at  the  three-day  event  held  in  Clearwater, 
Fla.  He  gave  an  audience  of  security  professionals  the  details  of 
his  five-step  process  for  getting  executives  and  boards  to  under¬ 
stand  and  even  approve  spending  decisions  in  tough  economic 
times. 


“What  most  people  will  do  is  say: 
‘I’ve  got  a  presentation  in  20  minutes,’ 
and  they  open  up  PowerPoint  and  start 
making  slides.  And  when  they  are  done 
they  go  and  read  the  slides  to  whomever 
they  are  going  to  talk  to  and  then 
they  get  rejected.” 


1.  Create 


Santarcangelo  believes  that  one  of  the  most  effective  ways  to  com¬ 
municate  value  is  to  place  focus  back  on  the  person  to  whom  you 
are  trying  to  make  your  pitch. 


“The  reason  why  someone  changes  a  behavior  or  takes  an 


action  is  because  there  is  an  inherent  benefit  to  the  person,”  says 


Santarcangelo.  “But  when  many  people  start  to  create,  they  forget 
that.  They  tend  to  fall  into  the  trap  of  thinking:  ‘I’m  really  smart 
and  I  know  a  lot  of  stuff.  So  I’m  just  going  to  say  it  and  hope  they 
will  understand  the  value  of  it.’” 

Instead,  Santarcangelo  recommends  creating  a  presentation 

32  www.csoonline.com  May  2009 


unicate  Security’s 

curity  People 


Santarcangelo  recommends  asking  yourself,  “How  can  I 
explain  this  to  them  using  their  frame  of  reference?  What  is  a 
story  or  example  I  can  use  to  have  that  conversation?” 

“If  you  are  presenting  to  a  broad  audience,  I  always  recom¬ 
mend  using  pop  culture.  Music  or  movies  are  great  places  to 
start.  You  can  always  preface  with,  ‘Did  you  see?’” 

Of  course,  finding  out  what  reference  might  work  will 
take  some  prep  work. 

“The  simplest  way  to  do  that  is  ask  ques¬ 
tions,”  says  Santarcangelo.  “If  the  executive 
you  will  be  presenting  to  is  outgoing 
and  friendly,  talk  to  them.  Find  out 
what  kind  of  TV  shows  they  watch 
or  sports  team  they  really  like.  On 
the  other  hand,  coming  in  with  a 
sports  analogy  to  someone  who 
doesn’t  like  sports  is  going  to  be 
a  swing  and  a  miss.  Find  out 
ahead  of  time.” 

Another  strategy  might 
involve  taking  a  topical  secu¬ 
rity  reference,  such  as  a  high- 
profile  breach,  and  asking: 
“How  would  we  be  impacted 
if  that  happened  to  us?” 

3.  Rehearse 

The  first  time  you  practice  your 
presentation  will  be  different  from 
the  time  you  actually  do  it,  accord¬ 
ing  to  Santarcangelo.  Because  your 
window  of  time  to  make  your  pitch  or 
presentation  will  likely  be  small,  rehearsing  is 
important  for  maximum  impact. 

“The  reason  I  call  it  rehearsal 

r-.v-r;i  •  instead  of  practicing  or  testing 

is  because  when 
you  rehearse, 
you  are 
allowed 
to  make 


Photo  by  Veer 


a  mistake.  We  tend  to  trend  toward  too  much  information. 
Rehearsing  let’s  us  distill.  Rehearsing  allows  you  to  make  sure 
your  sequence  and  flow  make  sense.” 

Winging  a  15-minute  presentation  in  hopes  of  obtaining 
financing  for  a  multithousand  or  multimillion  dollar  security 
project  may  be  possible  when  times  are  good,  according  to  Sant¬ 
arcangelo.  But  now,  more  than  ever,  tight  budgets  require  finesse 
and  precision  when  making  the  case  for  spending  money. 

4.  Deliver 

If  each  of  the  five  steps  were  given  equal  weight,  delivery  is  only 
20  percent.  Yet  many  people  jump  right  into  delivery  without 
planning  or  thinking  or  looking  for  a  connection  and  rehearsing, 
says  Santarcangelo. 

But  when  you  get  to  delivery,  the  trick  is  to  put  it  out  there 
without  worrying  about  being  perfect. 

“It’s  about  being  authentic,”  he  says.  “If  you  honestly  believe 
in  it,  put  it  out  there.  Don’t  be  afraid  to  make  mistakes.  You  don’t 
have  to  be  perfectly  polished.  Don’t  worry  about  urns  or  ahs  or 
reading  from  a  script.  The  idea  is  to  have  a  conversation.” 

Once  you  have  thought  through  what  you  hope  to  get  out  of 
it,  and  once  you  have  put  together  a  story  and  have  practiced,  be 
natural  in  the  moment  once  you  get  to  it. 

“Make  your  case  succinctly  and  then  have  a  natural 
conversation.” 

5.  Review  and  Follow  Through 

When  you  are  done,  go  back  and  ask  yourself,  “How  did  it 
go?”  and  “If  I  had  that  conversation  again,  would  I  do  it  the 
same  way?” 

Once  you’ve  evaluated  in  your  own  mind  how  you  think  it 
went,  follow-through  is  important,  says  Santarcangelo. 

“Many  times,  our  first  connection  and  creation  may  not  have 
been  dead  on.  So  when  we  had  a  conversation,  things  didn’t  get 
resolved,”  he  says.  “If  you  go  back  and  say,  ‘I  didn’t  connect  the 
way  I  wanted  to  connect,’  you  can  follow  up  with  your  audience 
and  say,  ‘I  didn’t  explain  that  the  way  I  wanted  to.  I  know  you  are 
busy,  but  can  I  have  five  more  minutes?  I’d  like  to  explain  it  to  you 
differently.’”  ■ 


Reach  Senior  Editor  Joan  Goodchild  at  jgoodchild@cxo.com. 

May  2009  www.csoonline.com  33 


[  cso  view] 

By  Ed  Beilis 


How  SCAP  Brought  Sanity  to 
Vulnerability  Management 

One  CISO  on  the  Security  Content  Automation 
Protocol  and  turning  chaos  into  order 


It’s  safe  to  say  that  vulnerability 
assessment  tools  have  become 
commonplace  within  most  secu¬ 
rity  teams’  toolboxes.  As  security 
programs  mature,  they  often  begin 
to  look  at  ways  to  automate  tasks  that  are 
mundane  and  repetitive. 

These  applications  have  become  better 
at  identifying  common  mistakes  within 
Web  applications,  patch  management, 
configurations,  systems  and  database 
hardening. 

But  with  the  proliferation  of  vulnerabil  ¬ 
ity  assessment  products  and  services,  we 
have  begun  to  create  a  different  problem. 

Any  organization  that  maintains  a  rea¬ 
sonably  sized  infrastructure  or  Web  pres¬ 
ence  can  easily  end  up  with  many  different 
applications,  services  and  tools  to  maintain 
and  monitor  their  vulnerabilities.  These 
tools  include  V.  A.  scanners  to  identify  secu¬ 
rity  bugs  within  applications,  databases, 
hosts  and  networks. 

Vulnerability  management  programs 
may  also  employ  software-as-a-service 
(SaaS)  solutions  to  assist  in  vulnerability 
identification  through  both  automated 
tools  and  manual  testing. 

Static  source  code  analysis  tools  add  to 
the  internal  store  of  vulnerabilities.  Want 
more  data?  How  about  adding  the  results 
of  your  penetration  tests? 

This  vulnerability  data  may  include 
Web  application  vulnerabilities— technical 
vulnerabilities  missed  by  VA  scanners, 
social  engineering  exploits  through  a  lack 
of  processes  or  awareness  and  logic  flaws. 

A  Mountain  of  Data 

As  we  begin  to  find  out,  in  some  cases,  matu¬ 
rity  can  bring  complexity  and  more  data! 
But  more  data  is  just  the  tip  of  the  iceberg. 


How  does  a  CISO  connect  all  of  this 
data?  How  does  management  understand 
what  issues  and  bugs  should  be  prioritized 
when  conducting  remediation? 

Once  prioritized,  how  do  we  then 
migrate  these  bugs  to  our  bug-tracking, 
change-management  and  trouble  ticketing 
systems? 

Your  problem  is  not  only  managing  the 
mountain  of  data  you’re  sitting  on,  it  now 
includes  managing  all  of  this  data  described 
in  different  ways— managing  vulnerability 
assessment  reports  that  contain  overlap¬ 
ping  bugs  or  false  positives.  Identifying 
your  bugs  and  problems  are  no  longer  the 
primary  issues.  You  now  have  to  do  some¬ 
thing  about  them. 

In  order  to  get  these  vulnerabilities 
closed,  the  security  teams  need  to  start 
sorting  and  moving  this  data  around  and 
getting  the  appropriate  issues  in  front  of 
management,  developers  and  engineers. 

You’ve  taken  the  step  to  add  more  tools 


to  your  management  arsenal  to  eliminate 
the  mundane  and  repeatable  tasks  only  to 
have  your  team  stuck  with  enough  mun¬ 
dane  and  repeatable  tasks  to  occupy  a  small 
army  of  security  professionals! 

So  when  taking  on  this  problem,  I  set 
out  with  six  basic  requirements: 

Schema  normalization:  All  vulner¬ 
ability  data  needs  to  be  described  in  the 
same  manner  to  compare  apples  to  apples 
across  host,  network,  application  and  data¬ 
base  vulnerabilities. 

Use  existing  standards  (where  pos¬ 
sible):  Don’t  re-invent  the  wheel. 

Connect  the  data:  If  we  don’t  do  this, 
we’re  not  solving  the  problem!  The  primary 
purpose  of  our  solution  is  to  eliminate  these 
silos  of  data,  reporting  and  tracking. 

Define  our  metrics:  I  thought  this 
might  be  one  of  the  easier  requirements; 
after  all,  we  already  have  some  vulnerabil¬ 
ity  metrics  as  part  of  our  current  program. 
Lo  and  behold,  as  I  drilled  deeper  into  this. 


34  www.csoonline.com  May  2009 


Art  Credit 


With  the  proliferation  of  vulnerability 
assessment  products  and  services,  we  have 
begun  to  create  a  different  problem. 


I  discovered  once  this  data  is  tied  together 
it  gives  us  additional  views  and  metrics  to 
track  and  measure  our  success. 

Useful  reporting:  Once  I  have  central¬ 
ized,  normalized  and  correlated  this  data,  I 
have  the  ability  to  crack  open  the  database 
and  sort  this  any  way  I  see  fit. 

Keep  it  simple:  Enough  said. 

Enter  the  Security  Content 
Automation  Protocol  (SCAP) 

What’s  SCAP,  you  ask?  Until  last  year  I 
hadn’t  heard  of  it  either.  I  was  struggling 
with  some  development  I  had  taken  on 
myself  to  help  address  the  problem. 

It  became  a  personal  project  of  mine  to 
go  out  and  build  something  to  solve  this 
ever-growing  issue. 

I  was  making  some  progress  on  a  caf¬ 
feine-fueled  weekend  development  bender 
when  reality  hit  me  in  the  face. 

I’ve  been  successful  at  building  some 


SIX  ADDITIONAL  STEPS 
FOR  VULNERABILITY 
MANAGEMENT  DONE  RIGHT 

Schema  normalization:  All  vulner¬ 
ability  data  needs  to  be  described  in 
the  same  manner  to  compare  apples  to 
apples  across  host,  network,  applica¬ 
tion  and  database  vulnerabilities. 

Use  existing  standards  (where 
possible):  Don’t  re-invent  the  wheel. 

Connect  the  data:  If  we  don’t  do 
this,  we’re  not  solvingthe  problem!  The 
primary  purpose  of  our  solution  is  to 
eliminate  these  silos  of  data,  reporting 
and  tracking. 

Define  our  metrics:  I  thought  this 
might  be  one  of  the  easier  require¬ 
ments;  after  all  we  already  have  some 
vulnerability  metrics  as  part  of  our 
current  program.  Low  and  behold,  as 
I  drilled  deeper  into  this,  I  discovered 
that  once  this  data  is  tied  together  it 
gives  us  additional  views  and  metrics 
to  track  and  measure  our  success. 

Useful  reporting:  Once  I  have 
centralized,  normalized  and  correlated 
this  data,  I  have  the  ability  to  crack 
open  the  database  and  sort  this  any 
way  I  see  fit. 

Keep  it  simple:  Enough  said. 


automated  connectors  to  “move”  much  of 
the  data,  but  how  on  earth  was  I  going  to 
describe  this  data  in  common  terms  and 
normalize  the  vulnerabilities? 

That  week  I  happened  to  send  out 
a  “tweet”  on  Twitter  describing  my  new, 
painful  reality  when  a  friend  and  follower 
of  mine,  Mike  Smith  (@rybolov  on  Twitter), 
responded  with,  “You  need  SCAP!” 

I  looked  it  up  and  found  that  SCAP  is 
part  of  the  Information  Security  Automa¬ 
tion  Program  and  is  made  up  of  a  collection 
of  existing  standards. 

These  standards  include  some  that 
many  of  us  are  already  familiar  with, 
such  as  the  Common  Vulnerabilities  and 
Exposures  (CVE)  and  the  Common 
Vulnerability  Scoring  System  (C  V SS). 
Additionally,  it  includes  the 
Common  Platform  Enumeration 
(CPE),  a  standard  to  describe  a  spe¬ 
cific  hardware,  OS  and  software 
configuration. 

This  is  helpful  for  enumerating 
assets,  giving  you  your  baseline 
information  to  apply  all  of  this  data; 
the  Common  Configuration  Enu¬ 
meration  (CCE),  very  similar  to  CVE 
but  dealing  with  misconfiguration 
issues;  the  Open  Vulnerability  and 
Assessment  Language  (OVAL)  to 
provide  schemas  that  describe  the 
inventory  of  a  computer,  the  configu¬ 
ration  on  that  computer  and  a  report 
of  what  vulnerabilities  were  found 
on  that  computer;  and  Extensible 
Configuration  Checklist  Description 
Format  (XCCDF),  a  description  lan¬ 
guage  to  help  you  apply  your  tech¬ 
nical  policies  and  standards  to  your 
scanning  tools. 

OK,  so  that’s  a  heck  of  a  lot  of 
acronyms.  Now  lets  see  how  this 
helps  me  in  building  a  real  solution. 

As  a  head  of  a  vulnerability 
management  program  as  discussed 
earlier,  I  am  sitting  on  data  from 
application  security  assessment 
tools,  host  and  network  scanners, 
and  database  vulnerability  and  con¬ 


figuration  scanners. 

In  reality,  this  includes  multiple  prod¬ 
ucts  and  services  for  application  security, 
as  well  as  multiple  tools  for  host  and  net¬ 
work  assessments. 

I  set  out  by  taking  advantage  of  APIs 
when  available  from  the  assessment  tool 
providers  as  well  as  XML  data  feeds.  Utiliz¬ 
ing  the  code  I’ve  just  written  to  automate  the 
movement  of  the  data,  I  now  need  to  map 
this  information  to  a  normalized  schema, 
taking  advantage  of  the  SCAP  standards. 
This  is  a  big  deal! 

I  now  have  a  common  way  to  describe 
the  vulnerabilities.  I  can  eliminate  dupli¬ 
cates  that  reference  the  same  CVE  on  the 
same  platforms. 

I  can  score  many  of  these  utilizing  CVSS, 
which  not  only  gives  me  a  common  scoring 
formula,  it  is  now  being  utilized  by  audit 
standards  such  as  the  PCI  DSS,  which  is 
very  helpful  in  my  world  of  e-commerce. 

Connecting  the  Dots 

Once  I  have  all  of  my  vulnerability  informa¬ 
tion  stored  in  a  centralized  data  store,  I  can 
create  reporting  and  metrics  that  give  man¬ 
agement  a  view  into  our  security  vulner¬ 
ability  state  across  all  applications,  hosts, 
networks,  databases,  etc. 

This  centralized  and  normalized  data 
also  gives  the  CISO  and  technology  man¬ 
agement  the  ability  to  prioritize  security- 
bug- fixing  work. 

From  there  I  can  now  build  connec¬ 
tors  into  my  remediation  systems,  such  as 
bug  trackers  and  trouble  ticketing  systems, 
closing  the  time  from  identification  to  reme¬ 
diation  dramatically. 

In  the  end  I  hope  to  address  this  heaping 
data  issue  giving  security  teams  the  ability 
to  once  again  automate  the  mundane  and 
repeatable,  and  at  the  same  time  accelerate 
the  “time  to  close”  gap  that  organizations 
often  suffer  from. 

I’m  not  quite  there  yet,  but  I’m  getting 
awfully  close. 

Care  to  help  me  out?  ■ 


Ed  Beilis  is  CISO  of  Orbitz. 


May  2009  www.csoonline.com  35 


[  FORRESTER  VIEW] 

Andrew  Jaquith 


Whose  Job  Is  It  Anyway? 

Forrester  believes  CISOs  must  revisit  the  need 
to  manage  data  security  centrally 


orrester  has  a  recommendation 
for  CISOs  struggling  with  how 
to  secure  corporate  data: 

Stop  trying  so  hard. 

Despite  years  of  invest¬ 
ments  in  technology  and  processes,  pro¬ 
tecting  enterprisewide  data  remains  a 
maddeningly  elusive  goal  for  chief  infor¬ 
mation  security  officers  (CISOs).  Software 
as  a  service  (SaaS),  Web  2.0  technologies, 
and  consumerized  hardware  increase  the 
number  of  escape  routes  for  sensitive  infor¬ 
mation.  Regulations,  statutes  and  contrac¬ 
tual  expectations  drown  CISOs  in  audit 
requests  and  ratchet  up  the  pressure  to  do 
something  about  the  problem.  Hordes  of 
vendors  confuse  CISOs  with  innumerable 
sales  pitches. 

Instead  of  beating  your  head  against  the 
wall,  devolve  responsibility  to  the  business 
by  keeping  controls  closest  to  the  people 
who  use  the  data.  IT  security  should  be  pri¬ 
marily  responsible  only  for  deploying  data 
protection  technologies  that  require  mini¬ 
mal  or  no  customization. 

Data-Centric  Security  Is  More 
Important  Than  Ever-But 
Harder  to  Achieve 

Today’s  regulatory  climate  forces  IT  security 
to  comply  with  statutes  such  as  Sarbanes- 
Oxley  and  HIPAA,  industry-imposed  secu¬ 
rity  standards  such  as  the  PCI  Data  Security 
Standard  (DSS)  and  an  unending  barrage  of 
audit  requests  from  key  customers,  banks 
and  auditors.  From  Boeing  to  Petrobras 
to  The  TJX  Companies,  daily  newspaper 
headlines  grimly  announce  the  latest  toxic 
data  spills,  causing  increased  customer 
scrutiny. 

The  pressure  on  IT  security  to  secure 
enterprise  data  in  all  its  forms  has  reached 


its  breaking  point.  According  to  Forrester’s 
Enterprise  and  SMB  Security  Survey,  North 
America  and  Europe,  Q3  2008,  a  huge 
majority  of  IT  professionals— 85  percent- 
worry  about  the  loss  of  intellectual  prop¬ 
erty.  But  IT  security  staffs  are  stretched  thin 
and  are  increasingly  challenged  to  solve  an 
essentially  unbounded  problem.  Organiza¬ 
tions  today  face: 

Massively  increased  conduits  for  infor¬ 
mation  flow.  Fifteen  years  ago,  the  most 
common  Internet  connection  was  the 
Ti.  Today,  it  is  the  OC-12— two  orders  of 
magnitude  of  more  bandwidth.  Increas¬ 


ingly,  mainstream  technologies  like  virtu¬ 
alization  are  redrawing  the  lines  between 
operating  systems  and  the  hardware  they 
run  on.  And  the  adoption  of  nonowned  IT 
assets  continues  apace.  The  confluence  of 
outsourcing,  SaaS  and  unmanaged  con¬ 
sumer  gadgets  ensures  that  IT  secu¬ 
rity’s  grip  on  information  has  never  been 
more  tenuous. 

Consumerization  of  IT  moves  data 
beyond  the  reach  of  the  CISO.  The  increased 
use  of  Web  2.0  technologies  such  as  blogs, 
social  networking  and  consumer-grade 
instant  messaging  increases  the  speed 


36  www.csoonline.com  May  2009 


Illustration  by  Esteban 


SECURITY 


TM 


M  C  \A/  C  I  C  T  T  C  p 
IN  L.  VV  O  L  C  1  I  C  f\ 


Security  Smart  is  a  quarterly  security  awareness  newsletter  ready 
for  distribution  to  your  employees — saving  you  precious  time  on 
employee  education!  The  compelling  content  combines  personal 
and  organization  safety  tips  so  is  applicable  to  many  facets 
of  employees'  lives.  And  the  easy  to  read  design  has  multiple 
entry  points  so  you  are  assured  that  your  intended  audience  of 
employees — your  organization's  most  valuable  assets — will  read 
and  retain  the  information. 


Subscribe  today! 


To  view  a  sample  issue  of  the  newsletter,  learn  about  the 
delivery  options  and  to  subscribe  visit: 

www.SecuritySmartNewsletter.com 


fd£cu 


ftlTy 


y°t*s 


&Pei 

Cdnh&Pyc  V^hen 


'°U  aHtiJnU  ^1 


*gl 


andav°%Z 


*4*0/ 


[C,t‘Pk 


hiivel 


loy<*s 


rVsult; 


►o  u 


WuU  ’Qecjcj.. .  a°Orjnrf 


0/0 


>A/0| 


355*2? 


>iv? 

fosf 

Us. 


'4*6. 


SnPasv,,  "“Ohix*.  ",or  w/,„ 

«b * 


"*«s  '•■o. 


"*n 


*■» 


■A* 


■ci°*tZn''Ai 


•*»»», 


For  more  information  please  visit 

www.SecuritySmartNewsletter.com 

Security  Smart  is  published  by  CSO,  a  business  unit  of  CX0  Media.  ©  2007  CXO  Media  Inc. 


CSO 


BUSINESS  RISK  LEADERSHIP 


>>  FORRESTER  VIEW 


with  which  information  moves  outside  of 
the  enterprise.  Worse,  the  pace  of  change  of 
consumer  gear  tempts  employees  to  ditch 
stodgy  corporate  hardware  and  bring  their 
own  gear  to  work— creating  even  more 
data  worries. 

Too  many  vendor  point  products.  In 

considering  solutions  for  securing  data, 
enterprise  CISOs  are  confronted  with  the 
tyranny  of  choice.  Lost  a  laptop  lately?  Full- 
disk  encryption  will  fix  that.  Employees 
promiscuously  passing  around  payment 
card  records?  A  dab  of  data  loss  prevention 
(DLP)  will  surely  do  the  trick.  The  surfeit 
of  solutions  to  narrowly  defined  technical 
problems  ensures  that  the  wish  list  only 
gets  longer. 

Confronted  with  these  three  challenges, 
some  nervous  CIOs  and  CSOs  choose  to 
throw  the  proverbial  kitchen  sink  at  the 
problem:  DLP,  encryption  everywhere, 
enterprise  key  management,  network 
access  control  (NAC)  and  employee  edu¬ 
cation.  However,  this  approach  will  fail 
because  at  its  roots,  the  problem  of  data 
security  stems  from  four  sources:  digital 
information  was  meant  to  move  informa¬ 
tion,  classification  isn’t  ingrained  into 
work  processes,  technical  solutions  aren’t 
standardized  and  accountable  parties  are 
too  far  from  the  controls. 

Succeeding  at  data  security  means 
CISOs  must  define  data  security  down: 
Reset  the  commonly  accepted  definitions  of 
what  the  problem  is,  who  owns  it  and  what 
the  solutions  should  be.  That  means: 

1.  Name  the  exact  business  content  that 
requires  tough  security  measures.  Enter¬ 
prises  don’t  have  “data  security”  prob¬ 
lems  or  “intellectual  property”  problems, 
but  they  do  have  legitimate,  spontaneous, 
sweat-inducing  worries  about  the  circu¬ 
lation  of  specific,  named  data  assets  such 
as  earnings  forecasts,  product  road  maps, 
system  passwords,  financial  models  and 
personally  identifiable  information  about 
customers.  Asking  each  part  of  the  enter¬ 
prise  to  name  its  most  important  digital 
assets  is  the  first  step.  CISOs  must  push  for 
business  unit  ownership  rather  than  taking 
the  easy  way  out  and  making  decisions  on 
their  behalf. 

2.  Put  accountability  where  it  belongs— 
with  functional  areas  and  business  units. 
Responsibility  for  classifying  information 
and  restricting  its  flow  is  ultimately  a  busi¬ 


ness  challenge,  not  a  technical  challenge. 
How  documents,  spreadsheets  and  e-mails 
are  used  depends  on  workgroup  and  busi¬ 
ness  unit  preferences. 

That  means  that  inside  counsel  owns 
e-mail  eDiscovery  and  retention,  prod¬ 
uct  engineering  owns  CAD  drawings  and 
finance  owns  accounts  and  earnings  projec¬ 
tions.  These  groups  know  who  should  and 
should  not  have  access  and  what  should 
happen  if  their  assets  are  misused.  IT  secu¬ 
rity’s  primary  role  should  be  to  help  source, 
design,  and  install  the  technical  controls 
in  place  that  will  enable  them  to  express 
and  enforce  their  compartmentalization 
needs— not  to  be  the  gatekeeper. 

3.  Reengineer  the  workplace  so  think¬ 


ing  isn’t  required.  The  most  obvious  and 
visible  data  threats  to  enterprises  are 
employee-related:  the  loss  of  a  laptop,  dis¬ 
gruntled  workers,  theft  of  documents  by 
thumb  drive  or  abuse  of  e-mail.  IT  securi¬ 
ty’s  natural  instinct  is  to  be  the  wet  blanket; 
instead,  IT  should  seek  to  engineer  envi¬ 
ronments  that  foster  efficiency,  impose  no 
productivity  burdens  and  offer  security  as 
a  side  effect.  Not  all  approaches  will  work 
everywhere,  but  honest  discussions  about 
the  realities  of  how  information  is  created 
and  consumed  will  unearth  solutions  that 
centralized— tools-reliant  approaches 
won’t. 

The  net  effect  of  these  three  priorities 
is  to  reshape  the  CISO’s  data  security  pri¬ 
orities.  Instead  of  trying  fruitlessly  to  be  the 
enterprise’s  all-knowing  content  guardian, 
censor  authority  and  compliance  guru,  the 
CISO  devolves  responsibility  of  these  activ¬ 
ities  to  the  business.  IT  security  becomes  a 
clearinghouse  for  data  security  tools  that 
business  groups  can  use  as  they  see  fit. 

Data-Centric  Security  Means 
Devolution 

Devolution  means  avoiding  the  trap  of  shelf- 


ware  and  stalled  pilots  and  putting  account¬ 
ability  where  it  belongs— with  the  business 
units.  Forrester  recommends  three  key 
steps  CISOs  should  take  to  succeed: 

Step  one:  Take  ownership  for  basic  data 
security  tools.  IT  security  should  take  the 
lead  with  tools  that  require  no  customiza¬ 
tion,  such  as  laptop  whole-disk  encryption 
and  terminal  services.  Both  are  relatively 
simple  to  implement  and  offer  effective  pro¬ 
tection  while  not  impeding  productivity.  In 
addition,  IT  security  should  offer  data  flow 
monitoring  services  to  all  business  units. 

Step  two:  Allow  business  units— not  IT 
security— to  drive  business  data  protection 
initiatives.  For  tools  like  database  encryp¬ 
tion,  port/URL  blocking  and  data-loss 


prevention,  IT  security’s  role  should  be 
limited  to  providing  expert  advice,  ensur¬ 
ing  consistency  by  setting  standards  and 
consulting  with  business  units  as  they 
deploy  solutions. 

Step  three:  Rethink  how  users  work. 
Accepted  best  practices  for  security  pro¬ 
grams  rely  heavily  on  end-user  education— 
perhaps  too  much.  IT  security  should 
perceive  gaps  in  information  handling 
practices  as  opportunities  to  reengineer  the 
workplace.  Rather  than  stress  inordinately 
the  necessity  to  “educate”  employees  on  the 
need  to  think  about  security,  IT  security 
should  focus  on  making  controls  no-load, 
no-think  and  inescapable.  In  particular, 
the  enterprise  should  promote  strategies 
that  reduce  the  need  for  sensitive  data  on 
endpoint  devices. 

Succeeding  at  data  security  requires 
CISOs  to  abandon  plans  to  control  data 
access  in  a  centralized  manner.  Devolution 
of  data  security  responsibilities  to  business 
units  is  the  key.  ■ 


Andrew  Jaquith  is  a  senior  analyst  covering 
data  protection  at  Forrester.  He  has  previously 
worked  at  Yankee  Group  and  @Stake. 


Succeeding  at  data  security  means  CISOs 
must  define  data  security  down:  reset  the 
commonly  accepted  definitions  of 

what  the  problem  is,  who  owns  it,  and  what 
the  so  utions  should  be. 


38  www.csoonline.com  May  2009 


Alta  Associates 


7th  Annual 

A  EXECUTIVE  WOMEN’S 


voA^TFORUM 


Information  Security,  Risk 
Management  &  Privacy 


September  23-25,  2009  |  Hyatt  Regency  at  Gainey  Ranch  |  Scottsdale,  AZ 


Pragmatic  Risk  Solutions  for  Changing  Times: 

Achieving  More  with  Less 


The  7th  annual  Executive  Women's  Forum  brings  together  more  than  200  women  of  influence, 
power  and  intelligence  to  exchange  pragmatic  risk  solutions.  Hosted  by  Alta  Associates ,  Inc. 

Women  of  Influence 
Awards 

Nominate  your  peers,  clients  and 
customers  for  the  Women  of  Influence 
Awards.  Co-presented  by  CSO  Magazine 
and  Alta  Associates,  the  awards  honor 
four  women  for  their  accomplishments 
and  leadership  roles  in  the  fields  of 
security,  risk  management  and  privacy. 

Winners  will  be  announced  at  an 
awards  ceremony  during  the 
Executive  Women's  Forum. 

NOMINATION  FORM  AVAILABLE  AT: 

www.ewf-usa.com 

Nominations  MUST  be 
submitted  by  August  1,  2009 


Panels  Include: 

•  Winning  Mind  Share — Writing  Effective  Proposals 

-  Tie  IT  investments  to  business  drivers,  calculate  ROI  based  on  your  project  and  lower  the  overall 
risk  to  your  company. 

•  Compliance  Globalization  Framework  Workshop 

-  Develop  requirements  and  controls  to  multiple  obligations,  create  a  unified  approach,  and  consider 
the  benefits  and  costs. 

•  Emerging  Technologies  Workshop: 

Cloud  Storage  &  Computing,  Web  2.0  and  Mobility 

-  Work  in  groups  to  discuss  and  then  present  the  current  state,  architecture,  risks,  rewards  &  tools 
used  to  evaluate  them. 

•  Gaining  Efficiencies  through  Vendor  Risk  Management 

-  Discuss  third  party  relationship  life  cycles  and  take  away  a  risk  assessment  framework 

•  The  Future  Privacy  Landscape 

-  In  our  desire  to  collaborate,  how  do  we  maintain  basic  privacy? 


For  more  information  on  the  EWF  or  to  register,  please  visit:  www.ewf-usa.com 


MEDIA  SPONSOR  & 

awards  co-presenter: 

CSO 


FORUM  HOST  & 

awards  co-presenter: 


a 


ASSOCIATES 

specialists  in  executive  recruiting 


'DIAMOND  SPONSORS' 


Symantec, 


ca 


® 


ini 


Information  Netwo rking  Institute 

Carnegie  Mellon 


Microsoft 


ROI: 

•  Earn  17  CPE  Credits 

•  Build  a  Network  of  the  Most  Dynamic  Women  in  Our  Industry 

•  Take  Home  Tools,  Templates  &  Solutions  to  Achieve  Success 

•  Expand  Your  Expertise  &  Capabilities 


[  debriefing] 


The  Final  Tweets  of  Harold 
Wigginbottom,  Tech- Savvy  CEO 


Wiggyl07  Amped  for  South  America  trip  to  fire  up 
Colombian  sales  force!  Landing  Tues  5/12  around  4:10pm 

10:13  AM  May  10  from  web 

Wiggyl07  Airport  time  =  reading  time.  Briefcase  locked 
&  loaded  w/  Q4  projections  and  R&D  reports.  Then  Tetris! 

7:01  AM  May  12  from  TwitterBerry 


Wiggyl07  Did  I  leave  front  door  unlocked?  Will  find  out 
when  I’m  back  next  week  LOL!  Preboarding  1st  class  now! 

7:42  AM  May  12  from  TwitterBerry 


Wiggyl07  Wheels  down!  Bogota  airport  kinda  sketchy. 
Hooray,  admin  musta  remembered  car  service  --  driver 
has  sign  for  Wiggyl07! 

4:19  PM  May  12  from  TwitterBerry 


wiggyl07  NO  SE  PREOCUPEN,  TODO  ESTA  BIEN.  POR 
FAVOR  ENVIEN  MUCHO  $$$$  A  ESTA  OFICINA  DE  LA 
WESTERN  UNION... 

5:31  PM  May  15  from  TwitterBerry 


PhoneFactor  adds  a  second  layer  of  security  -  an 
automated  phone  call  -  to  any  login.  Users 
simply  enter  their  username  and  password,  and 
instantly  they  get  a  call.  They  answer  and  press 
#  to  complete  their  login. 

“Even  if  a  hacker  has  your  password,  your  account 
remains  secure.”  -  New  York  Times 

Try  PhoneFactor  for  FREE  at 
www.phonefactor.com/cso 
or  call  1.877. No. Token. 


NEED  MORE 

SECURI1  ' 

TOiJ  MEm 

BETTER 

CEf#199!  ID1TV 

%0  Vm  mu  u  ■ 


CA  Security  Management  software  streamlines  your  IT  security 
environment  so  your  business  can  be  more  secure,  agile  and 
compliant  without  upsizing  your  infrastructure.  All  with  faster 
time  to  value.  Greater  efficiency  starts  with  more  efficient  IT. 

That's  the  power  of  lean.  ■ 


more  at  ca.com/security 


Software 


CoqSiri^W  ®  2Q09  CA.  All  rjghts'reservdd.' 


